1 Introduction
Quantum copyprotection was proposed by Aaronson in [aaronson2009quantum]. Similar to the more widelystudied quantum money, quantum copyprotection is also inspired by the NoCloning property of quantum information, but it aims at a different security goal: for quantum money, we need verifiable, unclonable quantum states; for quantum copyprotection, we want some unclonable states that can also let us compute certain functions correctly.
The informal definition for quantum copy protection is as follows: given a secret function drawn from a publicly known function family , we want a quantum state that (1) can be efficiently prepared given a classical description of ; (2) can be used to compute efficiently and correctly for (almost) all inputs ; (3) cannot be used to prepare more states and more functions efficiently so that and can compute correctly almost anywhere.
The idea of quantum money was first introduced by Wiesner [wiesner1983conjugate]
in around 1970. A secure quantum money should have the following properties (assuming all parties have access to some quantum resources): an efficient algorithm to prepare the quantum money state; an efficient quantum algorithm to verify the money produced by the bank with high probability; no one (except the bank) can efficiently duplicate the states accepted by the verifier except with exponentially small probability. In a secure publickey/publicly verifiable quantum money scheme, the verification part is public, i.e. anyone can verify the money efficiently.
Among the publickey quantum money schemes proposed till today, Aaronson and Christiano [aaronson2012quantum] constructed a simple and beautiful scheme relative to a classical oracle, namely the subspace membership oracle: the oracle has a secretly, randomly chosen dimensional subspace
inside and upon each input vector, it outputs 1 if the vector is in
and 0 otherwise. The oracle setting security of this scheme is proven based on quantum lower bound obtained through innerproduct adversary method; later Zhandry [zhandry2017quantum] instantiated the subspace membership oracle with a blackbox construction from quantumsecure indistinguishability obfuscation (iO) and injective oneway functions. Indistinguishability obfuscation is an algorithm that takes in two circuits with same functionalities and produce two obfuscated circuits so that they maintain original computation functionalities, but a probabilistic polynomialtime adversary cannot distinguish between the two obfuscated circuits. [zhandry2017quantum] assumes a quantumsecure version of this primitive together with injective oneway functions to construct a subspacehiding obfuscator that achieves the subspacehiding property needed in [aaronson2012quantum] quantum money scheme.Quantum copyprotection is a less explored idea. By far we don’t have any provably secure copyprotection scheme of any class of functions even when oracles are allowed. By unlearnable functions, we mean a function family that is not learnable from its input/output behavior for any quantum polynomial time (QPT) adversary having only classical blackbox access to the functions. [aaronson2009quantum] showed that any learnable function families cannot be copyprotected. [aaronson2009quantum] also showed that learnability of functions is the only obstruction to quantum copyprotection relative to a quantum oracle, but did not give a provably secure copyprotection scheme or a specific quantum oracle to build copyprotection upon. Moreover, the ultimate goal is to design an explicit and practical copyprotection scheme; therefore, this led us to raise the following open problem:
Can we design a quantum copyprotection scheme relative to classical oracle?
1.1 Main Results
Quantum CopyProtection Relative to a Classical Oracle
Our main contribution resolves the foregoing open problem with a positive answer. Namely, we present a copyprotection scheme, suggested by Paul Christiano, based on the same subspace membership oracles in [aaronson2012quantum] and prove the following theorem, which shows that our scheme is secure against any quantum polynomialtime adversary for a large class of functions relative to a classical oracle.
Theorem 1.1 (Informal).
For any quantumly unlearnable family of functions , we can construct a copyprotection scheme for such that using a classical oracle:

Any authorized user can use the program to compute correctly and efficiently for polynomially many times.

Any quantum polynomial time adversary (whether an authorized user or not) cannot pirate the copyprotection program of , except with a negligible probability.
The highlevel idea is that the copyprotection scheme requires any authorized user to query the oracle twice using an “unclonable” state in order to obtain a valid computation result. More specifically, this unclonable state is an equal superposition over some subspace, known only to the vendor. Upon the first query, the user queries the oracle on the original state
and its own input for the function, and receives the function computation result masked with randomness; on the second query, the user uses the state after applying Quantum Fourier Transform and the same function input, and it receives the corresponding randomness. The user can then remove the randomness to obtain the correct computation result. On the other hand, any unauthorized user almost always gets useless outputs.
The antipiracy security first relies on the quantum hardness of the DirectProduct problem in [ben2016quantum]: given the membership oracle for a secret, randomly chosen dimensional subspace and the membership oracle for its dual subspace , it is hard for a quantum polynomialtime adversary to find two nonzero vectors .
Next we prove that any QPT adversaries who have broken the antipiracy security copyprotection scheme can be divided into two categories, Type I and Type II. For any Type I adversary, there is a QPT reduction algorithm can use it to solve the DirectProduct problem by extracting information from the produced pirate programs making queries to the oracle. For any Type II adversary, who does not achieve what the type I adversaries do, a QPT algorithm can use it to quantumly learn an unlearnable function by having only classical blackbox access to the function. The quantum lower bound for directproduct problem and the unlearnable property of the copyprotected functions immediately give us the security of the scheme when the adversary can only access one piece of program., which we call minischeme security. Then we generalize our construction from a minischeme to the case when an adversary can access polynomially many programs for the same function, and prove the security in this case.
We also point out some directions to remove the oracle and implement the scheme with cryptographic primitives; the existence of quantumsecure indistinguishability obfuscation is highly likely to be necessary but not sufficient.
Relation to Publickey Quantum Money
We show that quantum copyprotection for the decryption function from a quantum CCA secure public key encryption (PKE) scheme implies publicverifiable quantum money. If we can copyprotect the decryption function (with the secret key), we can let a quantum copyprotection program be a quantum banknote; then everyone can use the corresponding public key from the encryption scheme to verify a quantum money state. Such candidate quantum CCA secure PKE scheme can be built from LearningwithErrors (LWE).
Similarly, we show that quantum copyprotection for certain quantumsecure injective trapdoor functions implies publicverifiable quantum money.
1.2 Relevant Works
Quantum CopyProtection
Quantum CopyProtection was proposed by Aaronson et al in [aaronson2009quantum]. and this paper also gave two candidate schemes for copyprotecting point functions without security proofs. He proved that any functions that are not quantum learnable can be quantumly copyprotected relative to a quantum oracle, based on ComplexityTheoretic NoCloning but did not give a quantum oracle construction.
Broadbent and Lord in [Broadbent2019UncloneableQE] introduced unclonable encryption. They construct schemes for encoding classical plaintexts into quantum ciphertexts, which prevents copying of encrypted data. Unclonable encryption can be seen as copyprotecting a unit of functional information simpler than a function.
Quantum Money
Quantum money was first proposed by Wiesner [wiesner1983conjugate] in around 1970. His scheme is based on conjugate coding, consisting of a unique classical serial number and polarized photons to determine the quantum state. However, as pointed out by Aaronson et al. [aaronson2012quantum], his scheme has some drawbacks, including the verifiability problem, the online attack problem and the giant database problem. After a few decades, Aaronson [aaronson2009quantum] gave the first publickey quantum money and quantum copyright protection. He proved that it is possible to construct the secure publickey quantum money relative to a quantum oracle. However, his explicit scheme was broken by Lutomirski et al. [lutomirski2009breaking]. Later, Aaronson and Christiano [aaronson2012quantum] proposed a secure publickey quantum money scheme relative to a classical oracle; they used hidden subspaces and quantumsecure digital signature to build the scheme. Its explicit scheme using conjectures about polynomials was later broken but the oracle version is proven secure through a lower bound obtained by innerproduct adversary method. Zhandry [zhandry2017quantum] studied the quantum lightning, a formalization of “collisionfree quantum money”. He showed the relation between quantum money/quantum lightning and the security of signatures/hash functions; [zhandry2017quantum] also instantiated the quantum money scheme of Aaronson and Christiano with quantumsecure indistinguishability obfuscation. More recently, Kane [kane2018quantum] showed a new approach for publickey quantum money using modular forms. Ji et al. [ji2018pseudorandom] defined the pseudorandom quantum state (PRS), which is a family of quantum states such that a random member of state among this family cannot be efficiently distinguished from the state drawn according to the Haar measure. He gave efficient constructions of PRS’s assuming that quantumsecure oneway functions exist. Using PRS, they can give a more generic and query secure privatekey quantum money scheme.
Another interesting circumstance to consider is classically verifiable quantum money introduced in [gavinsky2014classicalqm]. The communication between the bank and the user is classical and verification is through interactive protocols between them. [radiansattath2019semiquantum] gives a construction for such semiquantum money assuming quantumsecure Message Authentication Code (MAC) and LearningwithErrors (LWE), taking using of the noisy trapdoor clawfree function introduced by [Brakerski2018ACT].
Aaronson [aaronson2018shadow] showed a relation between quantum money and shadow tomography of quantum states. He proved that for any privatekey quantum money scheme, a counterfeiter can produce additional bills with high probability given polynomialmany legitimate bills and exponential time, without querying to the bank.
Onetime Programs and Onetime Memory
Another idea of copyprotecting softwares is through onetime program, introduced in [goldwasser2008onetime]. Onetime programs can be executed on only one single input and nothing other than the result of this computation is leaked. Onetime memory is a notion analogous to oblivious transfer but sender destroys the database after the transfer and is classically unachievable without hardware assumptions. Quantum onetime programs are discussed in [broadbent2013quantum], showing that any quantum circuit can be compiled into a onetime program assuming only the same basic onetime memory devices used for classical circuits.
Obfuscation
Obfuscation is a classical cryptographic primitive to hide the computation procedures of functions but maintain their functionalities. The most ideal and strong notion, virtual blackbox obfuscation is proven to be impossible for general circuits/TMs in [barak2001possibility]. VBB obfuscation constructions nevertheless exist for certain functionalities such as point functions; there are also realizations of other weaker VBB notions, for example distributional VBB obfuscation based on lattice, in [goyal2017lockable] and [wichs2017obfuscating].
Indistinguishability obfuscation(iO) was put forward by [barak2001possibility, barak2012possibility], as a weaker substitute to the too strong notion of blackbox obfuscation. What iO achieves is making two circuits with almost identical functionalities to be indistinguishable to the adversary. Garg et. al. [garg2016candidate] described a candidate construction for iO for circuit using multilinear maps. Recently, [AJLMS2019iowithoutmmp] gives iO construction from assuming bilinear maps, subexponential hardness of LearningwithErrors (LWE), weak PRG and security amplification; the assumptions are further simplified in [jain2019simplifying]. Though difficult to construct from standard assumptions, iO as a blackbox is extremely useful in building other cryptographic primitives, shown in works such as [sahai2014use].
On the quantum side, Alagic and Fefferman [alagic2016quantum] defined several notions of quantum obfuscation and proved several impossibility results.
Watermarking
Watermarking is a different way to copyprotect softwares classically by embedding a “watermark” into the softwares’ functionalities; a verification algorithm can verify the watermark and a watermarked software cannot function properly if the watermark is removed. [barak2001possibility] proposed the notion of watermarking and [hopper2007weakwatermark] gives more general and rigorous definitions for watermarking schemes. Later works, such as [cohen2015publicly, nishimaki2015watermarking, kim2017watermarking, cohen2018watermarking, quach2018watermarking] study more variants of goals such as publickey watermarking, publiclyverifiable watermarking and different watermarking schemes for cryptographic primitives, such PRFs.
2 Preliminaries
In this paper, we use to denote and use to denote all dimensional subspaces in .
Definition 2.1 (Dual Subspace).
Given a subspace of a vector space , let be the orthogonal complement of : the set of such that for all . It is not hard to show: is also a subspace of ; .
2.1 Quantum Information and Query Models
In this work, we consider the quantum query model, which gives quantum circuits access to some oracles. The classical and quantum oracles are defined as follows.
Definition 2.2 (Classical Oracle).
A classical oracle on input query is a unitary transformation of the form for function .
Definition 2.3 (Quantum Oracle).
A quantum oracle is an arbitrary qubit unitary transformation that a quantum algorithm can apply in a blackbox way. Given oracle that computes a function on input , we usually write us : the first part is the quantum system over the set of possible inputs; the second part is the quantum system over a set of possible outputs; the third is the workspace register and is reset after use.
Note that a classical oracle can be queried in quantum superposition. The main difference between classical and quantum oracles is that classical oracle for a function on input puts the response in the phase, but a quantum oracle can answer with a superposition of computation results.
The “No Cloning Theorem” states that it’s impossible to clone an unknown arbitrary quantum state. This impossibility can also be characterized by query complexity, as a generalization of the NoCloning Theorem and the BBBV lower bound for quantum search .
Theorem 2.4 (ComplexityTheoretic NoCloning [aaronson2012quantum]).
Given one copy of , as well as oracle access to such that and for all orthogonal to , a counterfeiter needs queries to prepare with certainty (for a worstcase ).
In addition, we also use the “Gentle Measurement Lemma” or “Almost As Good As New Lemma”.
Theorem 2.5 (Gentle Measurement Lemma [aaronson2004limitations]).
Suppose a measurement on a mixed state yields a particular outcome with probability . Then after the measurement, one can recover a state such that .
2.2 Cryptography
Definition 2.6 (Negligible Function).
We call a function as a negligible function if for all , such that for all . We denote a negligible function in parameter as .
Definition 2.7 (Quantum Unlearnability).
We consider a quantum polynomialtime algorithm : classical oracle access to function ; function is sampled from with an efficiently computable testing distribution over the domain ; let be the output of , where is a polynomialsize quantum or classical circuit and is a (mixed) state.
A distinguisher Dist is a quantum polynomialtime algorithm having access to full description of , and testing distribution ; Dist samples polynomially many inputs from and check if . Dist outputs 1 if and only if it finds any such that ; otherwise it outputs 0. For any , we call a family of functions quantumly unlearnable if the following holds for any such quantum polynomialtime algorithm :
(1) 
where is some nonnegligible probability in terms of output length.
Definition 2.8 (Public Key Quantum Money).
A publickey (publiclyverifiable) quantum money should consists of the following algorithms:

takes as input a security parameter , and generates a key pair .

takes in a secret key sk and generates a quantum banknote state .

takes as input public key pk, and a claimed money state , and outputs either 1 for accept or 0 for reject.
A secure publickey quantum money should satisfy the following properties:

Verification Correctness: For any , there exists a negligible function so that the following holds:

Unclonable Security: For any , suppose a QPT adversary is given number of valid bank notes and then gives number of claimed bank notes to verification algorithm Ver, there exists a negligible function such that the following holds for all QPT adversary :
Note that public key quantum money in fact refers to publicly verifiable quantum money, we will conform with the tradition of calling it public key quantum money.
Definition 2.9 (Digital Signatures).
A (classical) publickey digital signature scheme D consists of three probabilistic polynomialtime classical algorithms:

takes as input a security parameter , and generates a secret and public key pair .

takes in secret key sk and a message , and generates a signature .

takes as input public key pk, a message , and a claimed signature , and outputs either 1 for accept or 0 for reject.
A secure digital signature scheme should satisfy the following properties:
 Verification Correctness:

For any , so that the following holds:
 Unforgeability:

For any , suppose a PPT adversary is given number of valid signatures from a signing oracle on any message queries, and then gives a claimed signature on not queried before, there exists a negligible function so that for any such :
More cryptography primitives and assumptions used are given in Appendix B.
3 Quantum CopyProtection Relative to a Classical Oracle
We define a correct and secure quantum copyprotection as follows.
3.1 Quantum CopyProtection Definition
Definition 3.1.
Consider a family of functions , a quantum copyprotection scheme for consists of the following procedures:

Generation: Given and parameter , the vendor can generate a copyprotected program and a quantum key in time.

Computation: given , a user can compute the function for any by running the program in time.
Correctness and Security
We assume the quantum communication channel between the vendor and the customer is secure.
A quantum copyprotection scheme with parameter should satisfy the following properties:

Correctness: The customer with the key can compute the function by running the program , i.e.,
(2) the probability is over the randomness used in generation of .

AntiPiracy: The antipiracy security is defined through the game below.
 Setup Phase:

The challenger (vendor) samples , and is a testing distribution for .
Challenger runs for times to generate copies of programs:
(3)  Challenge Phase:

The challenger gives the copies of programs generated above to a quantum polynomialtime adversary .
Afterwards, generates programs . Each program consists of a polynomialsize quantum circuit and a (mixed) state .
To verify these programs, consider the challenger now as a quantum polynomialtime distinguisher algorithm Dist which knows the full description of the function , testing distribution and is given the pirated programs . For each program , Dist outputs 1 if and only if any inputoutput difference can be found between and . We say that the th program is verified if .
wins if all are verified.
The scheme has antipiracy security if for any QPT adversary , the following holds for any :
(4) where the probability is taken over the choice of and the randomness used in the setup.
We sometimes denote the above probability as to be the advantage of in the antipiracy security game.
Note that each pirated program for should consist of a polynomial size quantum/ classical circuit and a mixed state . If the circuit produced is classical and does not need auxiliary quantum input, the adversary is defined to always provide a useless , such as classical bits of zeros. The distinguisher will then run program on input as . Though the distinguisher is QPT, it needs quantum resources in order to run the pirated programs; its verification criterion is solely on comparison of inputoutput behaviors of the pirated programs with those of and nothing else.
Remark 3.2.
The testing distribution over the inputs is important since can be different for different sampled from the same family(for example, point functions). The role of the distinguisher allows the pirate programs to be tested on a polynomial number of points sampled from the distribution. For an unlearnable family of functions , when we copyprotect , the distinguisher Dist uses the same testing distribution corresponding to from as in creftype 2.7 to verify the pirate programs.
Remark 3.3.
In this paper, the copyprotection scheme we present is based on a classical oracle, which we will for simplicity refer to as . Since the oracle is public, not only does adversary have access to the , the pirate programs produced by also do. Sometimes we will use the notation or to emphasize that the program or the circuit has access to .
3.2 Quantum CopyProtection Minischeme
In this section we take use of the subspace membership oracles in [aaronson2012quantum] to construct a quantum copyprotection scheme.
First, we give a “minischeme” for quantum copyprotection, that is secure only for a single distribution of software. Then, we show that we can generalize the minischeme from one to polynomial number of copies.
Let be a family of functions: where . We assume is quantumly unlearnable and can be computed by polynomialsize classical circuits.
The minischeme for quantum copyprotection of function is as follows:

Generation: The vendor picks a uniformly random subspace of dimension and prepares a subspace state on qubits corresponding to :
(5) as the key of the program. The classical description of is kept private.
Then, it generates an oracle such that
(6) where are uniformly random functions.
Finally, it gives via a secure quantum channel to the customer and publishes the oracle .

Computation: Note that with subspace state , we can get the subspace state by applying a Quantum Fourier Transformation to qubits, i.e. To compute , customer can run the program as
(7) Note that the customer will first query and then . Hence, only one piece of is enough for the computation.
For notation we denote the copyprotected program as the oracle access to for function . The customer receives the full program as . Throughout the paper, the oracle notation refers to the specific copyprotection oracle described above.
4 Analysis of The MiniScheme
In this section, we’ll show that the minischeme satisfies the creftype 3.1 of quantum copyprotection.
Correctness and Efficiency
For the Generation part, as shown in [aaronson2012quantum], given the basis of , the subspace state can be prepared in polynomial time. For the oracle, it only needs to check the membership of and . Hence, assuming the truth tables of are given, the oracle can be generated in polynomial time. Therefore, the whole Generation part can be done in time.
For the Computation part, the program can compute with high probability. Because for each , if and only if it picks or , which happens with probability .
Because of this high success probability of a singleround computation, by the gentle measurement lemma Theorem 2.5, the state can be used for polynomial many times.
4.1 AntiPiracy Security
Next we show that the quantum copyprotection minischeme for any unlearnable families of functions has antipiracy against any quantum polynomialtime adversaries. More formally:
Theorem 4.1.
Given a copyprotected program for function , i.e. the oracle access to and a subspace state , for any QPT adversary A, there exists a negligible function such that for any and any unlearnable family of functions , the following holds:
(8) 
Later, for notational convenience, we denote
(9) 
To prove the theorem, we first need to show that the problem of finding two nonzero points in and respectively with only one copy of is hard for any QPT adversary. This is called the “DirectProduct Problem” in [aaronson2012quantum]. It is clear that if the adversary is able to find two vectors where and , can just put them together with the oracle access to the function computation oracle to make two successfully verifies pirated programs where are found by . Both work by querying the oracle to obtain the on any . Then antipiracy security is broken.
The hardness of the directproduct problem was proved by BenDavid and Sattath [ben2016quantum]:
Theorem 4.2 ([ben2016quantum]).
Let be such that . Given one copy of and a subspace membership oracle of and , an adversary needs queries to output a pair of nonzero vectors such that and with probability at least .
Since in later security reductions we will refer to the directproduct problem as a security game, here we briefly describe the game:

Setup Phase: the challenger samples a random dimensional subspace from ; then prepares the membership oracle for , for the dual subspace and a quantum state , the equal superposition of all elements in .

Query Phase: challenger sends to adversary; the adversary can query for polynomially many times.

Challenge Phase: adversary outputs two vectors ; challenger checks if: (1) are nonzero; (2) . If these are satisfied, then adversary wins.
We review the proof for Theorem 4.2 in Appendix A. And we immediately have a corollary for QPT adversaries:
Corollary 4.3.
For any QPT adversary, given one copy of , where random subspace and given access to subspace membership oracles of and , the probability of finding a pair of nonzero vectors such that and is negligible in for any .
For the rest of the paper, when we discuss a pair of vectors , we implicitly refer to nonzero vectors and .
Two Types of Adversary
In the next steps, we show that any adversary which breaks the copy protection scheme would either help solve the direct product problem efficiently or violate the unlearnable property of the underlying function.
For some QPT adversary which has passed verification and is one of the pirate programs produced by , we devide the queries made by P into two categories, informational and not informational.
All the queries from P to are in the form of , where is an element in the vector space for membership checking. If there exist at least one query that gets a reply for and another one with reply for , for the same , then we call these queries informational; one of these two queries must be on , for some and the other query on for some . Otherwise if no queries can get replies of both and for any , they are not informational; these queries are on for and in neither nor , or on for and in neither.
We divide the adversaries for the quantum copy protection minischeme into two categories and analyze them respectively:

Type 1: All the pirate programs produced by the adversary will make informational queries

Type 2: At least one pirate program produced by the adversary will make not make any informational queries.
4.1.1 Type 1 Adversary
We show that if all pirate programs produced by make informational queries, then we can extract the information of from their queries; otherwise if at least one pirate program makes no informational query or no query at all, then we can use it to quantumly learn the copyprotected function with only blackbox access.
Lemma 4.4.
For any randomly chosen with , if there exists some QPT adversary in the (minischeme) antipiracy security game for some with a testing distribution and produces two successfully verified pirate programs with advantage , such that the queries made by to are informational, then there is a QPT algorithm to obtain two nonzero vectors with probability , where , and .
Proof.
The challenger in the copy protection security game plays as the adversary in breaking directproduct hardness, denoted as . In the reduction, is given the membership oracle access to and state .
Next, we show that can simulate the copy protection security game for using the information given and uses to obtain the two vectors. samples by itself, and simulates the antipiracy game defined in creftype 3.1, specifically simulating the copy protection oracle for adversary as follows:

[label=0)]

gives state and oracle access of to .

On query from , queries on .

If , computes . After computes , it samples a random string from the range of (for example, if it is a Boolean function).
Then, sends to as the query answer.
Note that needs to keep a table of and its corresponding . Everytime on query of , first goes through the table to see if has already been recorded before. Otherwise, samples a and adds it to the table. Since there are only polynomially many queries, only needs polynomial time and space to record .

If , sends to . The generation of is the same as above.

If both and , samples another from the range and keeps a table of as it does for . sends to .
We can see that perfectly simulates the copyprotection oracle . In the end, outputs two pirate programs and sends . first runs the verification algorithm by testing inputs from to verify the two quantum programs produced by adversary. If they do not pass verification, aborts.
Once the adversary’s pirated programs have passed verification, then runs each pirate programs , again on a polynomial number of inputs sampled from . This time, it destructively measures random two queries, one from and one from . For each of these measurements, the reduction takes the bit information in the second half of the register (i.e. the part in ), denoted as ; then queries the membership oracles and on respectively to see which subspace they are in.
We require that both pirate programs need to make informational queries and the reduction measures both programs’ queries, since can always just give the entire state to one of the pirate programs such that this program makes informational query using , but making a destructive measurement to this program’s query will give us only one vector in or one in .
Since each can make at most polynomially many queries, can obtain vectors that solve DirectProduct problem, with probability given that , make informational queries. Since has nonnegligible advantage, has nonnegligible advantage with only a factor of loss.
∎
4.1.2 Type 2 Adversary
Next, we analyze the case if we cannot find both and from the queries made by to . Then it means at least one of them only gets replies with the information of or the information of , for all the queried. Since both are random functions, these replies are random strings uncorrelated with . In this case, the adversary has in fact produced a pirate program P that does not need to query the real oracle to get passed the verification test. All the query replies can be simulated by sampling random values and keeping a table to be consistent on the values.
Lemma 4.5.
For any unlearnable function family and with a testing distribution , if there exists some QPT adversary that produces two successfully verified pirate programs with advantage in the antipiracy security game; and at least one program P makes no informational queries to , then there exists a QPT algorithm that learns with probability , where .
Proof.
We show the lemma above by showing the following:
(10) 
is a QPT adversary trying to learn with only blackbox access to given in creftype 2.7; we denote this black box as a classical oracle , which on any query , answers the query with . Here, .
The challenger in the copy protection security game plays as the adversary in learning a function using only blackbox access: function along with an input distribution , is sampled from a function family . This adversary is denoted as . In the reduction, is given the oracle access to .
Next, we show that can simulate the copy protection security game for using the information given and uses to quantumly learn . samples random dimensional subspace over and prepares the membership oracles (unitary matrices) as well as state ; it simulates the copy protection oracle as follows:

[label=0)]

gives state and oracle access of to .

On query from , applies the unitaries on .

If , queries on input . After obtains , it samples a random string from the range of (for example, if it is a Boolean function).
sends to as the query answer.
Note that needs to keep a table of and its corresponding . Everytime on query of , first goes through the table to see if has already been recorded before. Otherwise, samples a and adds it to the table. Since there are only polynomially many queries, only needs polynomial time and space to record .

If , sends to . The generation of is the same as above.

If both and , samples another from the range and keeps a table of as it does for . sends to .
We can see that perfectly simulates the copyprotection oracle for . In the end, outputs two pirate program and sends .
randomly chooses one of the pirate programs in , ; we denote this chosen program as P for simplicity. Importantly, an adversary that successfully learns a function in creftype 2.7 needs to produce a polynomialsize quantum circuit and a state that computes without making any oracle queries. We show how can obtain such a circuitstate tuple from P.
If P makes no query to at all, then simply sends it to the functionlearning challenger as ’s own output. If P makes query only on or in neither or , can modify this program, a circuitstate tuple , into a circuitstate tuple that does not make any query to through the following steps:

adds an additional circuit , together with randomness of length , in order to answer ’s queries

If P makes queries on and in neither nor :

queries on will be answered by sampling a uniform random string if or another uniform random string if ;

keeps a table of queried and sampled strings to be consistent on the same query


If P makes queries on and in neither nor

samples random if , if

keeps a table of randomly sampled for and for to be consistent

Note that can be given the information of and since now does not make any query to and , are completely independent of any information in . Because presumably does not make any informational query to , and P have the same functionality. And since makes only polynomially many queries, is only polynomial sized.
Now, has obtained a circuitstate tuple which does not have access to oracle and functions the same as P produced by . simply submits to the functionlearning challenger as its own output. If ’s programs are supposed to pass the copyprotection verification, , and if happens to pick the program that makes no informational query, then will successfully “learn” the function with the same input distribution for verifying pirate programs, that is:
Therefore, for equals one over the probability that picks the program that actually does not make any informational query. If randomly chooses one of the two programs, then has at least probability of picking the right program given that produces at least one program with no informational queries.
∎
Conclusion
With Lemma 4.5, Lemma 4.4 and Theorem 4.2, we are able to prove the security of the minischeme:
Proof of Theorem 4.1.
For any QPT adversary , given the copy protected program for sampled from a family of functions ,
where and are some polynomials of , as we specified in Lemma 4.4 and Lemma 4.5.
By the definition of quantumly unlearnable functions, we have . And by Theorem 4.2 and Corollary 4.3, we have .
Therefore, we can conclude Theorem 4.1. ∎
5 Generalized Construction
5.1 Polynomial Copies of Program Distributions
In this section, we extend the secure quantum money minischeme to a construction of polynomially many copyprotection programs for the same function : for is a polynomial of .
Let be a quantumly unlearnable family of functions and . We define the generalized quantum copyprotection scheme for as follows:

For each , the vendor runs the minischeme generation process for :

Sample a random dimensional subspace ; a random function and another random function .

Generate program as follows. Prepare a subspace state on qubits corresponding to :
(11) as the key for the program. The classical description of is kept private.
Prepare an oracle such that it computes the following:
(12) denotes the oracle access .


Distribute the programs to an authorized customer via a secure quantum channel.
Remark 5.1.
The random function which is used to mask the value of must be chosen with fresh randomness at the preparation for each program . If we use the same for two programs , the adversary can easily attack by creating a program that queries with a vector in and with a vector in .
Attack by Intersections of Subspaces
We analyze the (im)possibility of an obvious attack. One simple attack to the general scheme is that the adversary buys two pieces of programs and . By measuring , it gets a point . By measuring (or ), it gets a point (or ). If happens to be in , then the scheme is broken. However, we can show that the probability that or has nontrivial intersection (intersection of elements other than the zero element) with is negligible. More generally, even for polynomial number of different randomly chosen subspaces of dimension , the probability that there exist any two subspaces where one has nontrivial intersection with the other (or the dual subspace of it) is negligible.
Claim 5.2.
Given uniformly random subspaces , each with dimension , the probability that there exist such that is negligible.
Proof.
Fix two different indices and , consider subspaces and : and are chosen randomly and independently from ; each basis vector is selected with probability . The intersection is also a subspace and let be the dimension of
. We denote the random variable
as the th basis vector is selected to be a basis vector for both and , for . Clearly, . We can bound the probability of obtaining an intersection with dimension using Chernoff bound:(13) 
Then for any two subspaces in , we can obtain the possibility that they intersect with a larger than dimensional subspace, by union bound,
(14)  
An dimensional subspace is only a negligible portion in any dimensional subspace; moreover, the probability for the existence of an intersection with dimension larger than is negligible. Hence, the probability that there exists a nonnegligible intersection between any two random subspaces is extremely small. ∎
Therefore, , have only negligible portions of intersections with overwhelmingly large probability, then exploiting can hardly help finding two vectors in for any . There is only quadratic improvement even for a quantum adversary using Grover search to find an element in the intersection by the Grover search lower bound. Hence, this kind of attack can be ruled out.
Theorem 5.3.
For any quantumly unlearnable family of functions , and any , given copies of programs constructed as above, then for any quantum polynomialtime adversary , cannot break antipiracy except with negligible probability.
Proof.
If there exists a QPT adversary that successfully produces number of pirate programs , then we can follow the proof for the minischeme security in Section 4.1 to show that these pirate programs can either be used to extract two nonzero vectors in for some , or be used to violate unlearnability of the protected function.
If all pirate programs make informational queries to the oracles given in , then by pigeonhole principle, there must be two programs that make queries to the same oracle for some . Since both of these two programs make informational queries, i.e. they obtain both and from their queries for some in the domain, we can then follow similar argument in Lemma 4.4 and obtain two nonzero vectors in and . The reduction algorithm can first guess the oracle that will be queried by two pirate programs; uses the oracles it receives from a DirectProduct challenge to prepare and prepares the rest of membership oracles by sampling subspaces itself. The rest of the proof is the same as in Lemma 4.4. now has a factor of loss in advantage compared to its advantage in Lemma 4.4, due to guessing.
If there exists one pirate program that makes no informational queries to any oracles in , then it obtains no actual computation result for all in the domain from the oracles; we follow the argument from Lemma 4.5 to show that a QPT reduction can use this program to quantumly learn the unlearnable function . has a factor of loss in advantage compared to its advantage in Lemma 4.5, since it now randomly picks from programs.
∎
5.2 Further Security through Authorization
Though the above contruction for copies of programs is secure against QPT adversaries, if we want to further reduce the probability of attacks, we can add authorization to each copy of program. Following Aaronson and Christiano [aaronson2012quantum], we can enhance the security for polynomially many copyprotection programs by adding quantumsecure digital signatures. By adding authorization information, we make sure that the adversary can only attack by pirating one underlying copyprotection minischeme, completely rendering an attack by ”combining” the information obtained from several programs as impossible, such as an attack by intersection shown above. Then the security of polynomialcopy construction is reduced to the security of digital signature and minischeme.
Let be a quantumly unlearnable family of functions and
Comments
There are no comments yet.