Quantum Copy-Protection from Hidden Subspaces

Quantum copy-protection is an innovative idea that uses the no-cloning property of quantum information to copy-protect programs and was first put forward by <cit.>. The general goal is that a program distributor can distribute a quantum state |Ψ〉, whose classical description is secret to the users; a user can use this state to run the program P on his own input, but not be able to pirate this program P or create another state with the same functionality. In the copy-protection with oracle setting, the user has access to a public oracle and can use the given quantum state and the oracle to compute on his/her own input for polynomially many times. However, the user is not able to produce an additional program(quantum or classical) that computes the same as P on almost all inputs. We present a first quantum copy protection scheme with a classical oracle for any unlearnable function families. The construction is based on membership oracles for hidden subspaces in F_2^n, an idea derived from the public key quantum money scheme in <cit.>. We prove the security of the scheme relative to a classical oracle, namely, the subspace membership oracle with the functionality of computing the secret function we want to copy-protect. The security proof builds on the quantum lower bound for the Direct-Product problem (<cit.>) and the quantumly unlearnability of the copy-protected functions. We also show that existence of quantum copy protection and the quantum hardness of Learning-with-Errors (LWE) will imply publicly verifiable quantum money.



There are no comments yet.


page 1

page 2

page 3

page 4


Quantum copy-protection of compute-and-compare programs in the quantum random oracle model

Copy-protection allows a software distributor to encode a program in suc...

Hidden Cosets and Applications to Unclonable Cryptography

In this work, we study a generalization of hidden subspace states to hid...

Secure Software Leasing

We introduce the notion of secure software leasing (SSL): this allows fo...

Entanglement is Necessary for Optimal Quantum Property Testing

There has been a surge of progress in recent years in developing algorit...

Almost Public Quantum Coins

In a quantum money scheme, a bank can issue money that users cannot coun...

Quantum Merkle Trees

Commitment scheme is a central task in cryptography, where a party (typi...

Homomorphic Encryption based on Hidden Subspace Membership

In this paper, we propose a leveled fully homomorphic encryption scheme ...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Quantum copy-protection was proposed by Aaronson in [aaronson2009quantum]. Similar to the more widely-studied quantum money, quantum copy-protection is also inspired by the No-Cloning property of quantum information, but it aims at a different security goal: for quantum money, we need verifiable, unclonable quantum states; for quantum copy-protection, we want some unclonable states that can also let us compute certain functions correctly.

The informal definition for quantum copy protection is as follows: given a secret function drawn from a publicly known function family , we want a quantum state that (1) can be efficiently prepared given a classical description of ; (2) can be used to compute efficiently and correctly for (almost) all inputs ; (3) cannot be used to prepare more states and more functions efficiently so that and can compute correctly almost anywhere.

The idea of quantum money was first introduced by Wiesner [wiesner1983conjugate]

in around 1970. A secure quantum money should have the following properties (assuming all parties have access to some quantum resources): an efficient algorithm to prepare the quantum money state; an efficient quantum algorithm to verify the money produced by the bank with high probability; no one (except the bank) can efficiently duplicate the states accepted by the verifier except with exponentially small probability. In a secure public-key/publicly verifiable quantum money scheme, the verification part is public, i.e. anyone can verify the money efficiently.

Among the public-key quantum money schemes proposed till today, Aaronson and Christiano [aaronson2012quantum] constructed a simple and beautiful scheme relative to a classical oracle, namely the subspace membership oracle: the oracle has a secretly, randomly chosen -dimensional subspace

inside and upon each input vector, it outputs 1 if the vector is in

and 0 otherwise. The oracle setting security of this scheme is proven based on quantum lower bound obtained through inner-product adversary method; later Zhandry [zhandry2017quantum] instantiated the subspace membership oracle with a black-box construction from quantum-secure indistinguishability obfuscation (iO) and injective one-way functions. Indistinguishability obfuscation is an algorithm that takes in two circuits with same functionalities and produce two obfuscated circuits so that they maintain original computation functionalities, but a probabilistic polynomial-time adversary cannot distinguish between the two obfuscated circuits. [zhandry2017quantum] assumes a quantum-secure version of this primitive together with injective one-way functions to construct a subspace-hiding obfuscator that achieves the subspace-hiding property needed in [aaronson2012quantum] quantum money scheme.

Quantum copy-protection is a less explored idea. By far we don’t have any provably secure copy-protection scheme of any class of functions even when oracles are allowed. By unlearnable functions, we mean a function family that is not learnable from its input/output behavior for any quantum polynomial time (QPT) adversary having only classical black-box access to the functions. [aaronson2009quantum] showed that any learnable function families cannot be copy-protected. [aaronson2009quantum] also showed that learnability of functions is the only obstruction to quantum copy-protection relative to a quantum oracle, but did not give a provably secure copy-protection scheme or a specific quantum oracle to build copy-protection upon. Moreover, the ultimate goal is to design an explicit and practical copy-protection scheme; therefore, this led us to raise the following open problem:

Can we design a quantum copy-protection scheme relative to classical oracle?

1.1 Main Results

Quantum Copy-Protection Relative to a Classical Oracle

Our main contribution resolves the foregoing open problem with a positive answer. Namely, we present a copy-protection scheme, suggested by Paul Christiano, based on the same subspace membership oracles in [aaronson2012quantum] and prove the following theorem, which shows that our scheme is secure against any quantum polynomial-time adversary for a large class of functions relative to a classical oracle.

Theorem 1.1 (Informal).

For any quantumly unlearnable family of functions , we can construct a copy-protection scheme for such that using a classical oracle:

  • Any authorized user can use the program to compute correctly and efficiently for polynomially many times.

  • Any quantum polynomial time adversary (whether an authorized user or not) cannot pirate the copy-protection program of , except with a negligible probability.

The high-level idea is that the copy-protection scheme requires any authorized user to query the oracle twice using an “unclonable” state in order to obtain a valid computation result. More specifically, this unclonable state is an equal superposition over some subspace, known only to the vendor. Upon the first query, the user queries the oracle on the original state

and its own input for the function, and receives the function computation result masked with randomness; on the second query, the user uses the state after applying Quantum Fourier Transform and the same function input, and it receives the corresponding randomness. The user can then remove the randomness to obtain the correct computation result. On the other hand, any unauthorized user almost always gets useless outputs.

The anti-piracy security first relies on the quantum hardness of the Direct-Product problem in [ben2016quantum]: given the membership oracle for a secret, randomly chosen -dimensional subspace and the membership oracle for its dual subspace , it is hard for a quantum polynomial-time adversary to find two non-zero vectors .

Next we prove that any QPT adversaries who have broken the anti-piracy security copy-protection scheme can be divided into two categories, Type I and Type II. For any Type I adversary, there is a QPT reduction algorithm can use it to solve the Direct-Product problem by extracting information from the produced pirate programs making queries to the oracle. For any Type II adversary, who does not achieve what the type I adversaries do, a QPT algorithm can use it to quantumly learn an unlearnable function by having only classical black-box access to the function. The quantum lower bound for direct-product problem and the unlearnable property of the copy-protected functions immediately give us the security of the scheme when the adversary can only access one piece of program., which we call mini-scheme security. Then we generalize our construction from a mini-scheme to the case when an adversary can access polynomially many programs for the same function, and prove the security in this case.

We also point out some directions to remove the oracle and implement the scheme with cryptographic primitives; the existence of quantum-secure indistinguishability obfuscation is highly likely to be necessary but not sufficient.

Relation to Public-key Quantum Money

We show that quantum copy-protection for the decryption function from a quantum CCA secure public key encryption (PKE) scheme implies public-verifiable quantum money. If we can copy-protect the decryption function (with the secret key), we can let a quantum copy-protection program be a quantum banknote; then everyone can use the corresponding public key from the encryption scheme to verify a quantum money state. Such candidate quantum CCA secure PKE scheme can be built from Learning-with-Errors (LWE).

Similarly, we show that quantum copy-protection for certain quantum-secure injective trapdoor functions implies public-verifiable quantum money.

1.2 Relevant Works

Quantum Copy-Protection

Quantum Copy-Protection was proposed by Aaronson et al in [aaronson2009quantum]. and this paper also gave two candidate schemes for copy-protecting point functions without security proofs. He proved that any functions that are not quantum learnable can be quantumly copy-protected relative to a quantum oracle, based on Complexity-Theoretic No-Cloning but did not give a quantum oracle construction.

Broadbent and Lord in [Broadbent2019UncloneableQE] introduced unclonable encryption. They construct schemes for encoding classical plaintexts into quantum ciphertexts, which prevents copying of encrypted data. Unclonable encryption can be seen as copy-protecting a unit of functional information simpler than a function.

Quantum Money

Quantum money was first proposed by Wiesner [wiesner1983conjugate] in around 1970. His scheme is based on conjugate coding, consisting of a unique classical serial number and polarized photons to determine the quantum state. However, as pointed out by Aaronson et al. [aaronson2012quantum], his scheme has some drawbacks, including the verifiability problem, the online attack problem and the giant database problem. After a few decades, Aaronson [aaronson2009quantum] gave the first public-key quantum money and quantum copyright protection. He proved that it is possible to construct the secure public-key quantum money relative to a quantum oracle. However, his explicit scheme was broken by Lutomirski et al. [lutomirski2009breaking]. Later, Aaronson and Christiano [aaronson2012quantum] proposed a secure public-key quantum money scheme relative to a classical oracle; they used hidden subspaces and quantum-secure digital signature to build the scheme. Its explicit scheme using conjectures about polynomials was later broken but the oracle version is proven secure through a lower bound obtained by inner-product adversary method. Zhandry [zhandry2017quantum] studied the quantum lightning, a formalization of “collision-free quantum money”. He showed the relation between quantum money/quantum lightning and the security of signatures/hash functions; [zhandry2017quantum] also instantiated the quantum money scheme of Aaronson and Christiano with quantum-secure indistinguishability obfuscation. More recently, Kane [kane2018quantum] showed a new approach for public-key quantum money using modular forms. Ji et al. [ji2018pseudorandom] defined the pseudorandom quantum state (PRS), which is a family of quantum states such that a random member of state among this family cannot be efficiently distinguished from the state drawn according to the Haar measure. He gave efficient constructions of PRS’s assuming that quantum-secure one-way functions exist. Using PRS, they can give a more generic and query secure private-key quantum money scheme.

Another interesting circumstance to consider is classically verifiable quantum money introduced in [gavinsky2014classicalqm]. The communication between the bank and the user is classical and verification is through interactive protocols between them. [radiansattath2019semiquantum] gives a construction for such semi-quantum money assuming quantum-secure Message Authentication Code (MAC) and Learning-with-Errors (LWE), taking using of the noisy trapdoor claw-free function introduced by [Brakerski2018ACT].

Aaronson [aaronson2018shadow] showed a relation between quantum money and shadow tomography of quantum states. He proved that for any private-key quantum money scheme, a counterfeiter can produce additional bills with high probability given polynomial-many legitimate bills and exponential time, without querying to the bank.

One-time Programs and One-time Memory

Another idea of copy-protecting softwares is through one-time program, introduced in [goldwasser2008onetime]. One-time programs can be executed on only one single input and nothing other than the result of this computation is leaked. One-time memory is a notion analogous to oblivious transfer but sender destroys the database after the transfer and is classically unachievable without hardware assumptions. Quantum one-time programs are discussed in [broadbent2013quantum], showing that any quantum circuit can be compiled into a one-time program assuming only the same basic one-time memory devices used for classical circuits.


Obfuscation is a classical cryptographic primitive to hide the computation procedures of functions but maintain their functionalities. The most ideal and strong notion, virtual black-box obfuscation is proven to be impossible for general circuits/TMs in [barak2001possibility]. VBB obfuscation constructions nevertheless exist for certain functionalities such as point functions; there are also realizations of other weaker VBB notions, for example distributional VBB obfuscation based on lattice, in [goyal2017lockable] and [wichs2017obfuscating].

Indistinguishability obfuscation(iO) was put forward by [barak2001possibility, barak2012possibility], as a weaker substitute to the too strong notion of black-box obfuscation. What iO achieves is making two circuits with almost identical functionalities to be indistinguishable to the adversary. Garg et. al. [garg2016candidate] described a candidate construction for iO for circuit using multilinear maps. Recently, [AJLMS2019iowithoutmmp] gives iO construction from assuming bilinear maps, subexponential hardness of Learning-with-Errors (LWE), weak PRG and security amplification; the assumptions are further simplified in [jain2019simplifying]. Though difficult to construct from standard assumptions, iO as a black-box is extremely useful in building other cryptographic primitives, shown in works such as [sahai2014use].

On the quantum side, Alagic and Fefferman [alagic2016quantum] defined several notions of quantum obfuscation and proved several impossibility results.


Watermarking is a different way to copy-protect softwares classically by embedding a “watermark” into the softwares’ functionalities; a verification algorithm can verify the watermark and a watermarked software cannot function properly if the watermark is removed. [barak2001possibility] proposed the notion of watermarking and [hopper2007weak-watermark] gives more general and rigorous definitions for watermarking schemes. Later works, such as [cohen2015publicly, nishimaki2015watermarking, kim2017watermarking, cohen2018watermarking, quach2018watermarking] study more variants of goals such as public-key watermarking, publicly-verifiable watermarking and different watermarking schemes for cryptographic primitives, such PRFs.

2 Preliminaries

In this paper, we use to denote and use to denote all dimensional subspaces in .

Definition 2.1 (Dual Subspace).

Given a subspace of a vector space , let be the orthogonal complement of : the set of such that for all . It is not hard to show: is also a subspace of ; .

2.1 Quantum Information and Query Models

In this work, we consider the quantum query model, which gives quantum circuits access to some oracles. The classical and quantum oracles are defined as follows.

Definition 2.2 (Classical Oracle).

A classical oracle on input query is a unitary transformation of the form for function .

Definition 2.3 (Quantum Oracle).

A quantum oracle is an arbitrary -qubit unitary transformation that a quantum algorithm can apply in a black-box way. Given oracle that computes a function on input , we usually write us : the first part is the quantum system over the set of possible inputs; the second part is the quantum system over a set of possible outputs; the third is the workspace register and is reset after use.

Note that a classical oracle can be queried in quantum superposition. The main difference between classical and quantum oracles is that classical oracle for a function on input puts the response in the phase, but a quantum oracle can answer with a superposition of computation results.

The “No Cloning Theorem” states that it’s impossible to clone an unknown arbitrary quantum state. This impossibility can also be characterized by query complexity, as a generalization of the No-Cloning Theorem and the BBBV lower bound for quantum search .

Theorem 2.4 (Complexity-Theoretic No-Cloning [aaronson2012quantum]).

Given one copy of , as well as oracle access to such that and for all orthogonal to , a counterfeiter needs queries to prepare with certainty (for a worst-case ).

In addition, we also use the “Gentle Measurement Lemma” or “Almost As Good As New Lemma”.

Theorem 2.5 (Gentle Measurement Lemma [aaronson2004limitations]).

Suppose a measurement on a mixed state yields a particular outcome with probability . Then after the measurement, one can recover a state such that .

2.2 Cryptography

Definition 2.6 (Negligible Function).

We call a function as a negligible function if for all , such that for all . We denote a negligible function in parameter as .

Definition 2.7 (Quantum Unlearnability).

We consider a quantum polynomial-time algorithm : classical oracle access to function ; function is sampled from with an efficiently computable testing distribution over the domain ; let be the output of , where is a polynomial-size quantum or classical circuit and is a (mixed) state.

A distinguisher Dist is a quantum polynomial-time algorithm having access to full description of , and testing distribution ; Dist samples polynomially many inputs from and check if . Dist outputs 1 if and only if it finds any such that ; otherwise it outputs 0. For any , we call a family of functions quantumly unlearnable if the following holds for any such quantum polynomial-time algorithm :


where is some non-negligible probability in terms of output length.

Definition 2.8 (Public Key Quantum Money).

A public-key (publicly-verifiable) quantum money should consists of the following algorithms:

  • takes as input a security parameter , and generates a key pair .

  • takes in a secret key sk and generates a quantum banknote state .

  • takes as input public key pk, and a claimed money state , and outputs either 1 for accept or 0 for reject.

A secure public-key quantum money should satisfy the following properties:

Verification Correctness: For any , there exists a negligible function so that the following holds:

Unclonable Security: For any , suppose a QPT adversary is given number of valid bank notes and then gives number of claimed bank notes to verification algorithm Ver, there exists a negligible function such that the following holds for all QPT adversary :

Note that public key quantum money in fact refers to publicly verifiable quantum money, we will conform with the tradition of calling it public key quantum money.

Definition 2.9 (Digital Signatures).

A (classical) public-key digital signature scheme D consists of three probabilistic polynomial-time classical algorithms:

  • takes as input a security parameter , and generates a secret and public key pair .

  • takes in secret key sk and a message , and generates a signature .

  • takes as input public key pk, a message , and a claimed signature , and outputs either 1 for accept or 0 for reject.

A secure digital signature scheme should satisfy the following properties:

Verification Correctness:

For any , so that the following holds:


For any , suppose a PPT adversary is given number of valid signatures from a signing oracle on any message queries, and then gives a claimed signature on not queried before, there exists a negligible function so that for any such :

More cryptography primitives and assumptions used are given in Appendix B.

3 Quantum Copy-Protection Relative to a Classical Oracle

We define a correct and secure quantum copy-protection as follows.

3.1 Quantum Copy-Protection Definition

Definition 3.1.

Consider a family of functions , a quantum copy-protection scheme for consists of the following procedures:

Generation: Given and parameter , the vendor can generate a copy-protected program and a quantum key in time.

Computation: given , a user can compute the function for any by running the program in time.

Correctness and Security

We assume the quantum communication channel between the vendor and the customer is secure.

A quantum copy-protection scheme with parameter should satisfy the following properties:

Correctness: The customer with the key can compute the function by running the program , i.e.,


the probability is over the randomness used in generation of .

Anti-Piracy: The anti-piracy security is defined through the game below.

Setup Phase:

The challenger (vendor) samples , and is a testing distribution for .

Challenger runs for times to generate copies of programs:

Challenge Phase:

The challenger gives the copies of programs generated above to a quantum polynomial-time adversary .

Afterwards, generates programs . Each program consists of a polynomial-size quantum circuit and a (mixed) state .

To verify these programs, consider the challenger now as a quantum polynomial-time distinguisher algorithm Dist which knows the full description of the function , testing distribution and is given the pirated programs . For each program , Dist outputs 1 if and only if any input-output difference can be found between and . We say that the -th program is verified if .

wins if all are verified.

The scheme has anti-piracy security if for any QPT adversary , the following holds for any :


where the probability is taken over the choice of and the randomness used in the setup.

We sometimes denote the above probability as to be the advantage of in the anti-piracy security game.

Note that each pirated program for should consist of a polynomial size quantum/ classical circuit and a mixed state . If the circuit produced is classical and does not need auxiliary quantum input, the adversary is defined to always provide a useless , such as classical bits of zeros. The distinguisher will then run program on input as . Though the distinguisher is QPT, it needs quantum resources in order to run the pirated programs; its verification criterion is solely on comparison of input-output behaviors of the pirated programs with those of and nothing else.

Remark 3.2.

The testing distribution over the inputs is important since can be different for different sampled from the same family(for example, point functions). The role of the distinguisher allows the pirate programs to be tested on a polynomial number of points sampled from the distribution. For an unlearnable family of functions , when we copy-protect , the distinguisher Dist uses the same testing distribution corresponding to from as in creftype 2.7 to verify the pirate programs.

Remark 3.3.

In this paper, the copy-protection scheme we present is based on a classical oracle, which we will for simplicity refer to as . Since the oracle is public, not only does adversary have access to the , the pirate programs produced by also do. Sometimes we will use the notation or to emphasize that the program or the circuit has access to .

3.2 Quantum Copy-Protection Mini-scheme

In this section we take use of the subspace membership oracles in [aaronson2012quantum] to construct a quantum copy-protection scheme.

First, we give a “mini-scheme” for quantum copy-protection, that is secure only for a single distribution of software. Then, we show that we can generalize the mini-scheme from one to polynomial number of copies.

Let be a family of functions: where . We assume is quantumly unlearnable and can be computed by polynomial-size classical circuits.

The mini-scheme for quantum copy-protection of function is as follows:

Generation: The vendor picks a uniformly random subspace of dimension and prepares a subspace state on qubits corresponding to :


as the key of the program. The classical description of is kept private.

Then, it generates an oracle such that


where are uniformly random functions.

Finally, it gives via a secure quantum channel to the customer and publishes the oracle .

Computation: Note that with subspace state , we can get the subspace state by applying a Quantum Fourier Transformation to qubits, i.e. To compute , customer can run the program as


Note that the customer will first query and then . Hence, only one piece of is enough for the computation.

For notation we denote the copy-protected program as the oracle access to for function . The customer receives the full program as . Throughout the paper, the oracle notation refers to the specific copy-protection oracle described above.

4 Analysis of The Mini-Scheme

In this section, we’ll show that the mini-scheme satisfies the creftype 3.1 of quantum copy-protection.

Correctness and Efficiency

For the Generation part, as shown in [aaronson2012quantum], given the basis of , the subspace state can be prepared in polynomial time. For the oracle, it only needs to check the membership of and . Hence, assuming the truth tables of are given, the oracle can be generated in polynomial time. Therefore, the whole Generation part can be done in time.

For the Computation part, the program can compute with high probability. Because for each , if and only if it picks or , which happens with probability .

Because of this high success probability of a single-round computation, by the gentle measurement lemma Theorem 2.5, the state can be used for polynomial many times.

4.1 Anti-Piracy Security

Next we show that the quantum copy-protection mini-scheme for any unlearnable families of functions has anti-piracy against any quantum polynomial-time adversaries. More formally:

Theorem 4.1.

Given a copy-protected program for function , i.e. the oracle access to and a subspace state , for any QPT adversary A, there exists a negligible function such that for any and any unlearnable family of functions , the following holds:


Later, for notational convenience, we denote


To prove the theorem, we first need to show that the problem of finding two non-zero points in and respectively with only one copy of is hard for any QPT adversary. This is called the “Direct-Product Problem” in [aaronson2012quantum]. It is clear that if the adversary is able to find two vectors where and , can just put them together with the oracle access to the function computation oracle to make two successfully verifies pirated programs where are found by . Both work by querying the oracle to obtain the on any . Then anti-piracy security is broken.

The hardness of the direct-product problem was proved by Ben-David and Sattath [ben2016quantum]:

Theorem 4.2 ([ben2016quantum]).

Let be such that . Given one copy of and a subspace membership oracle of and , an adversary needs queries to output a pair of non-zero vectors such that and with probability at least .

Since in later security reductions we will refer to the direct-product problem as a security game, here we briefly describe the game:

Setup Phase: the challenger samples a random -dimensional subspace from ; then prepares the membership oracle for , for the dual subspace and a quantum state , the equal superposition of all elements in .

Query Phase: challenger sends to adversary; the adversary can query for polynomially many times.

Challenge Phase: adversary outputs two vectors ; challenger checks if: (1) are nonzero; (2) . If these are satisfied, then adversary wins.

We review the proof for Theorem 4.2 in Appendix A. And we immediately have a corollary for QPT adversaries:

Corollary 4.3.

For any QPT adversary, given one copy of , where random subspace and given access to subspace membership oracles of and , the probability of finding a pair of non-zero vectors such that and is negligible in for any .

For the rest of the paper, when we discuss a pair of vectors , we implicitly refer to non-zero vectors and .

Two Types of Adversary

In the next steps, we show that any adversary which breaks the copy protection scheme would either help solve the direct product problem efficiently or violate the unlearnable property of the underlying function.

For some QPT adversary which has passed verification and is one of the pirate programs produced by , we devide the queries made by P into two categories, informational and not informational.

All the queries from P to are in the form of , where is an element in the vector space for membership checking. If there exist at least one query that gets a reply for and another one with reply for , for the same , then we call these queries informational; one of these two queries must be on , for some and the other query on for some . Otherwise if no queries can get replies of both and for any , they are not informational; these queries are on for and in neither nor , or on for and in neither.

We divide the adversaries for the quantum copy protection mini-scheme into two categories and analyze them respectively:

Type 1: All the pirate programs produced by the adversary will make informational queries

Type 2: At least one pirate program produced by the adversary will make not make any informational queries.

4.1.1 Type 1 Adversary

We show that if all pirate programs produced by make informational queries, then we can extract the information of from their queries; otherwise if at least one pirate program makes no informational query or no query at all, then we can use it to quantumly learn the copy-protected function with only black-box access.

Lemma 4.4.

For any randomly chosen with , if there exists some QPT adversary in the (mini-scheme) anti-piracy security game for some with a testing distribution and produces two successfully verified pirate programs with advantage , such that the queries made by to are informational, then there is a QPT algorithm to obtain two non-zero vectors with probability , where , and .


The challenger in the copy protection security game plays as the adversary in breaking direct-product hardness, denoted as . In the reduction, is given the membership oracle access to and state .

Next, we show that can simulate the copy protection security game for using the information given and uses to obtain the two vectors. samples by itself, and simulates the anti-piracy game defined in creftype 3.1, specifically simulating the copy protection oracle for adversary as follows:

  1. [label=0)]

  2. gives state and oracle access of to .

  3. On query from , queries on .

  4. If , computes . After computes , it samples a random string from the range of (for example, if it is a Boolean function).

    Then, sends to as the query answer.

    Note that needs to keep a table of and its corresponding . Everytime on query of , first goes through the table to see if has already been recorded before. Otherwise, samples a and adds it to the table. Since there are only polynomially many queries, only needs polynomial time and space to record .

  5. If , sends to . The generation of is the same as above.

  6. If both and , samples another from the range and keeps a table of as it does for . sends to .

We can see that perfectly simulates the copy-protection oracle . In the end, outputs two pirate programs and sends . first runs the verification algorithm by testing inputs from to verify the two quantum programs produced by adversary. If they do not pass verification, aborts.

Once the adversary’s pirated programs have passed verification, then runs each pirate programs , again on a polynomial number of inputs sampled from . This time, it destructively measures random two queries, one from and one from . For each of these measurements, the reduction takes the -bit information in the second half of the register (i.e. the -part in ), denoted as ; then queries the membership oracles and on respectively to see which subspace they are in.

We require that both pirate programs need to make informational queries and the reduction measures both programs’ queries, since can always just give the entire state to one of the pirate programs such that this program makes informational query using , but making a destructive measurement to this program’s query will give us only one vector in or one in .

Since each can make at most polynomially many queries, can obtain vectors that solve Direct-Product problem, with probability given that , make informational queries. Since has non-negligible advantage, has non-negligible advantage with only a factor of loss.

4.1.2 Type 2 Adversary

Next, we analyze the case if we cannot find both and from the queries made by to . Then it means at least one of them only gets replies with the information of or the information of , for all the queried. Since both are random functions, these replies are random strings uncorrelated with . In this case, the adversary has in fact produced a pirate program P that does not need to query the real oracle to get passed the verification test. All the query replies can be simulated by sampling random values and keeping a table to be consistent on the values.

Lemma 4.5.

For any unlearnable function family and with a testing distribution , if there exists some QPT adversary that produces two successfully verified pirate programs with advantage in the anti-piracy security game; and at least one program P makes no informational queries to , then there exists a QPT algorithm that learns with probability , where .


We show the lemma above by showing the following:


is a QPT adversary trying to learn with only black-box access to given in creftype 2.7; we denote this black box as a classical oracle , which on any query , answers the query with . Here, .

The challenger in the copy protection security game plays as the adversary in learning a function using only black-box access: function along with an input distribution , is sampled from a function family . This adversary is denoted as . In the reduction, is given the oracle access to .

Next, we show that can simulate the copy protection security game for using the information given and uses to quantumly learn . samples random -dimensional subspace over and prepares the membership oracles (unitary matrices) as well as state ; it simulates the copy protection oracle as follows:

  1. [label=0)]

  2. gives state and oracle access of to .

  3. On query from , applies the unitaries on .

  4. If , queries on input . After obtains , it samples a random string from the range of (for example, if it is a Boolean function).

    sends to as the query answer.

    Note that needs to keep a table of and its corresponding . Every-time on query of , first goes through the table to see if has already been recorded before. Otherwise, samples a and adds it to the table. Since there are only polynomially many queries, only needs polynomial time and space to record .

  5. If , sends to . The generation of is the same as above.

  6. If both and , samples another from the range and keeps a table of as it does for . sends to .

We can see that perfectly simulates the copy-protection oracle for . In the end, outputs two pirate program and sends .

randomly chooses one of the pirate programs in , ; we denote this chosen program as P for simplicity. Importantly, an adversary that successfully learns a function in creftype 2.7 needs to produce a polynomial-size quantum circuit and a state that computes without making any oracle queries. We show how can obtain such a circuit-state tuple from P.

If P makes no query to at all, then simply sends it to the function-learning challenger as ’s own output. If P makes query only on or in neither or , can modify this program, a circuit-state tuple , into a circuit-state tuple that does not make any query to through the following steps:

  • adds an additional circuit , together with randomness of length , in order to answer ’s queries

  • If P makes queries on and in neither nor :

    • queries on will be answered by sampling a uniform random string if or another uniform random string if ;

    • keeps a table of queried and sampled strings to be consistent on the same query

  • If P makes queries on and in neither nor

    • samples random if , if

    • keeps a table of randomly sampled for and for to be consistent

Note that can be given the information of and since now does not make any query to and , are completely independent of any information in . Because presumably does not make any informational query to , and P have the same functionality. And since makes only polynomially many queries, is only polynomial sized.

Now, has obtained a circuit-state tuple which does not have access to oracle and functions the same as P produced by . simply submits to the function-learning challenger as its own output. If ’s programs are supposed to pass the copy-protection verification, , and if happens to pick the program that makes no informational query, then will successfully “learn” the function with the same input distribution for verifying pirate programs, that is:

Therefore, for equals one over the probability that picks the program that actually does not make any informational query. If randomly chooses one of the two programs, then has at least probability of picking the right program given that produces at least one program with no informational queries.


With Lemma 4.5, Lemma 4.4 and Theorem 4.2, we are able to prove the security of the mini-scheme:

Proof of Theorem 4.1.

For any QPT adversary , given the copy protected program for sampled from a family of functions ,

where and are some polynomials of , as we specified in Lemma 4.4 and Lemma 4.5.

By the definition of quantumly unlearnable functions, we have . And by Theorem 4.2 and Corollary 4.3, we have .

Therefore, we can conclude Theorem 4.1. ∎

5 Generalized Construction

5.1 Polynomial Copies of Program Distributions

In this section, we extend the secure quantum money mini-scheme to a construction of polynomially many copy-protection programs for the same function : for is a polynomial of .

Let be a quantumly unlearnable family of functions and . We define the generalized quantum copy-protection scheme for as follows:

  • For each , the vendor runs the mini-scheme generation process for :

    • Sample a random -dimensional subspace ; a random function and another random function .

    • Generate program as follows. Prepare a subspace state on qubits corresponding to :


      as the key for the program. The classical description of is kept private.

      Prepare an oracle such that it computes the following:


      denotes the oracle access .

  • Distribute the programs to an authorized customer via a secure quantum channel.

Remark 5.1.

The random function which is used to mask the value of must be chosen with fresh randomness at the preparation for each program . If we use the same for two programs , the adversary can easily attack by creating a program that queries with a vector in and with a vector in .

Attack by Intersections of Subspaces

We analyze the (im)possibility of an obvious attack. One simple attack to the general scheme is that the adversary buys two pieces of programs and . By measuring , it gets a point . By measuring (or ), it gets a point (or ). If happens to be in , then the scheme is broken. However, we can show that the probability that or has nontrivial intersection (intersection of elements other than the zero element) with is negligible. More generally, even for polynomial number of different randomly chosen subspaces of dimension , the probability that there exist any two subspaces where one has non-trivial intersection with the other (or the dual subspace of it) is negligible.

Claim 5.2.

Given uniformly random subspaces , each with dimension , the probability that there exist such that is negligible.


Fix two different indices and , consider subspaces and : and are chosen randomly and independently from ; each basis vector is selected with probability . The intersection is also a subspace and let be the dimension of

. We denote the random variable

as the -th basis vector is selected to be a basis vector for both and , for . Clearly, . We can bound the probability of obtaining an intersection with dimension using Chernoff bound:


Then for any two subspaces in , we can obtain the possibility that they intersect with a larger than -dimensional subspace, by union bound,


An -dimensional subspace is only a negligible portion in any -dimensional subspace; moreover, the probability for the existence of an intersection with dimension larger than is negligible. Hence, the probability that there exists a non-negligible intersection between any two random subspaces is extremely small. ∎

Therefore, , have only negligible portions of intersections with overwhelmingly large probability, then exploiting can hardly help finding two vectors in for any . There is only quadratic improvement even for a quantum adversary using Grover search to find an element in the intersection by the Grover search lower bound. Hence, this kind of attack can be ruled out.

Theorem 5.3.

For any quantumly unlearnable family of functions , and any , given copies of programs constructed as above, then for any quantum polynomial-time adversary , cannot break anti-piracy except with negligible probability.


If there exists a QPT adversary that successfully produces number of pirate programs , then we can follow the proof for the mini-scheme security in Section 4.1 to show that these pirate programs can either be used to extract two non-zero vectors in for some , or be used to violate unlearnability of the protected function.

If all pirate programs make informational queries to the oracles given in , then by pigeonhole principle, there must be two programs that make queries to the same oracle for some . Since both of these two programs make informational queries, i.e. they obtain both and from their queries for some in the domain, we can then follow similar argument in Lemma 4.4 and obtain two nonzero vectors in and . The reduction algorithm can first guess the oracle that will be queried by two pirate programs; uses the oracles it receives from a Direct-Product challenge to prepare and prepares the rest of membership oracles by sampling subspaces itself. The rest of the proof is the same as in Lemma 4.4. now has a factor of loss in advantage compared to its advantage in Lemma 4.4, due to guessing.

If there exists one pirate program that makes no informational queries to any oracles in , then it obtains no actual computation result for all in the domain from the oracles; we follow the argument from Lemma 4.5 to show that a QPT reduction can use this program to quantumly learn the unlearnable function . has a factor of loss in advantage compared to its advantage in Lemma 4.5, since it now randomly picks from programs.

5.2 Further Security through Authorization

Though the above contruction for copies of programs is secure against QPT adversaries, if we want to further reduce the probability of attacks, we can add authorization to each copy of program. Following Aaronson and Christiano [aaronson2012quantum], we can enhance the security for polynomially many copy-protection programs by adding quantum-secure digital signatures. By adding authorization information, we make sure that the adversary can only attack by pirating one underlying copy-protection mini-scheme, completely rendering an attack by ”combining” the information obtained from several programs as impossible, such as an attack by intersection shown above. Then the security of polynomial-copy construction is reduced to the security of digital signature and mini-scheme.

Let be a quantumly unlearnable family of functions and