Quantum One-Time Protection of any Randomized Algorithm

Sam Gunn and Ramis Movassagh Google Quantum AI, Venice CA, 90291

(December 31, 2024)

Abstract

The meteoric rise in power and popularity of machine learning models dependent on valuable training data has reignited a basic tension between the power of running a program locally and the risk of exposing details of that program to the user. At the same time, fundamental properties of quantum states offer new solutions to data and program security that can require strikingly few quantum resources to exploit, and offer advantages outside of mere computational run time. In this work, we demonstrate such a solution with quantum one-time tokens.

A quantum one-time token is a quantum state that permits a certain program to be evaluated exactly once. One-time security guarantees, roughly, that the token cannot be used to evaluate the program more than once. We propose a scheme for building quantum one-time tokens for any randomized classical program, which include generative AI models. We prove that the scheme satisfies an interesting definition of one-time security as long as outputs of the classical algorithm have high enough min-entropy, in a black box model.

Importantly, the classical program being protected does not need to be implemented coherently on a quantum computer. In fact, the size and complexity of the quantum one-time token is independent of the program being protected, and additional quantum resources serve only to increase the security of the protocol. Due to this flexibility in adjusting the security, we believe that our proposal is parsimonious enough to serve as a promising candidate for a near-term useful demonstration of quantum computing in either the NISQ or early fault tolerant regime.

1 Introduction

Commercializing software presents a central dilemma: How does a proprietor distribute software, without forfeiting ownership? On the one hand, software must be made available to users for them to use it; on the other, once the software is distributed, an unlimited number of unauthorized copies can be made. This problem is more acute in the age of generative AI, where the software can be extremely valuable and potentially reveal private information.

There are two widely-adopted solutions to this problem:

1.

The proprietor can distribute an obfuscated version of the software. However, this opens up the possibility of piracy, and the user can always run the software an unlimited number of times.
2.

The proprietor can allow queries to the software, instead of distributing the software itself. But this requires communication between the user and the proprietor every time the software is used.

Sometimes a combination of these solutions is employed — for instance, an internet browser might be obfuscated and made public while the search engine itself is kept on servers.

There is an apparent trade-off between usability and exclusivity in these solutions. Distributing obfuscated software makes it highly usable, but it is impossible to impose any limits on the number of times it can be used. Keeping the software on servers and responding to user queries has high exclusivity, but lower usability because the user needs to communicate with the server to perform computations. Furthermore, this solution is only available to proprietors with enough resources to host a reliable server.

This trade-off between usability and exclusivity is inherent in the classical setting, because classical information can always be copied. As soon as software is distributed, the user can query or copy it as many times as they want. Therefore it is natural to look to quantum mechanics for improved solutions. In contrast to classical information, quantum information cannot be cloned. Indeed, unclonable cryptography is able to make use of this principle to improve both of the above solutions.¹¹1We note that unclonable cryptography has led to many additional interesting and varied protocols, including quantum money [Wie83], quantum key distribution [BB14], and certified deletion [BI20].

Improving Solution (1) with copy protection.

In copy protection, introduced by [Aar09], a quantum state is created that allows a program to be run an unlimited number of times, but not copied. In a classical oracle model, quantum copy protection is possible for any unlearnable program [ALL⁺21]. In the standard model, there exist unlearnable programs that cannot be copy protected [AP21]; nonetheless, it is known how to copy protect a small number of particular functionalities in the standard model [CLLZ21, LLQZ22, CG24, AB24].

Quantum copy protection addresses the piracy concern in Solution (1), but it does not apply in the setting where the proprietor wishes to distribute individual queries to the software. This is particularly relevant in the current age of generative AI, where the pay-per-query model is prevalent.

Improving Solution (2) with one-time programs.

For the pay-per-query model, one-time programs are a more suitable solution. A one-time program token is a quantum state that enables a program to be evaluated once. One-time programs therefore remove the need for online communication in Solution (2): The proprietor distributes tokens, and the users consume the tokens offline at their leisure.

This work.

In this work, we propose the first general-purpose tokenized program scheme using quantum information. Prior work was restricted to protecting specific cryptographic functionalities, and in particular did not apply to non-cryptographic programs like generative AI models.

Our method uses a one-time signature scheme and a program obfuscator to compile any randomized algorithm into a one-time token that allows the algorithm to be executed on any input of the user’s choice. We note that the quantum capabilities required for our scheme are completely independent of the program being protected. Therefore, our scheme could plausibly be used to protect a large program using only a small, noisy quantum device — even one that is incapable of demonstrating quantum computational advantage!

Prior and concurrent work on one-time programs.

One-time programs were initially studied in [GKR08], but without quantum computation. The idea of quantum one-time programs was originally suggested in [BGS13], where it was shown that it is impossible to build quantum one-time tokens for deterministic programs without specialized hardware assumptions. This is because a simple rewinding attack would allow a user to make arbitrarily many queries to the algorithm, given any state that allows it to be run once. Later, [BS23] presented a scheme to one-time protect signature functions in the standard model.

In concurrent and independent work, [GLR⁺24] also present a scheme for the one-time protection of arbitrary randomized algorithms. Their scheme is essentially identical to ours, except that they instantiate the quantum one-time authentication scheme with the particular construction of [CLLZ21]. With respect to security definitions and proofs, their results are generally much more extensive, including stronger (albeit more complex) definitions of one-time security and new impossibility results. However, they take a very different and complementary approach to proving security. It would be interesting to know whether our results (and in particular Lemma 1, which is simple and self-contained) say anything about security in their setting, or whether their results imply our Lemma 1.

Removing quantum communication.

The protocol described below requires quantum communication between the proprietor and the user, because the proprietor needs to send the user the quantum one-time program token. However, if the one-time signatures are instantiated with those from [CLLZ21], then the results of [Shm22, CHV23] allow us to replace this quantum communication with a remote state preparation protocol that uses only classical communication. That is, there exists a polynomial-time interactive protocol between a quantum user and a classical proprietor that results in the user holding a quantum one-time token which they can only use once. Unfortunately, this protocol is highly complex and not likely to be feasible on a near-term quantum device.²²2It also requires the assumptions that LWE is sub-exponentially hard for quantum computers and that indistinguishability obfuscation for classical circuits exists with sub-exponential security against quantum polynomial-time adversaries.

2 The construction

In this section, we present our scheme for one-time protecting an arbitrary randomized algorithm. Any randomized algorithm can be described by a function $f$ , which takes the input together with a random string, and outputs the result of the computation.

Our scheme relies on three cryptographic primitives:

•

$(\mathsf{AuthKeyGen},\mathsf{AuthTokenGen},\mathsf{Sign},\mathsf{Verify})$ , a quantum one-time authentication scheme. For instance, any quantum one-time signature scheme will suffice — although it is not required to be publicly verifiable. We define a quantum one-time authentication scheme in Definition 1.
•

$\mathsf{Obf}$ , a classical program obfuscator. This can be heuristically instantiated with any classical obfuscation algorithm (for instance, a candidate indistinguishability obfuscator), but we model it as black-box obfuscation for our security proof.
•

$H$ , a hash function modeled as a random oracle. This can be replaced with a pseudorandom function without affecting the security proof, because we model $\mathsf{Obf}$ as black-box obfuscation.

The software proprietor will generate a program token which can be used to evaluate $f$ one time. A program token consists of two parts:

•

$\ket{\psi}$ , an unclonable quantum state that does not depend on $f$ .
•

$\mathsf{Obf}(P)$ , an obfuscated classical circuit $P$ that depends on $f$ . This part is completely classical.

We emphasize that $\ket{\psi}$ does not depend on the program being obfuscated. In particular, this means that the quantum capabilities required of the user and the software proprietor do not depend on the complexity of the computation being one-time protected. Highly-complex computations like evaluation of a generative AI model can be protected, even if the quantum capabilities of both the user and software proprietor are limited. Furthermore, if we use the one-time signature scheme from [CLLZ21] for one-time authentication, then the only quantum capabilities required of the user are to store a constant-sized quantum state and to measure it in the standard and Hadamard bases.

At a high level, our scheme works by requiring the user to one-time authenticate any input they wish to evaluate $f$ on. The program $P$ will not evaluate $f$ unless a valid input-authentication pair is provided. Crucially, $P$ will determine the randomness to use for $f$ by computing a hash of the input-authentication pair.

2.1 One-time authentication with strong unforgeability

Before we state our one-time program construction in 2, let us define quantum one-time authentication and strong unforgeability. This is essentially a secret-key version of the definition of a quantum one-time signature scheme from [BS23], except that we insist on it being infeasible to generate two distinct signatures even for the same message. This property is referred to as strong unforgeability in [CHV23, BKNY23].

Remark.

There was an error in a previous version of this paper, due to our defining only the standard, weak version of unforgeability. We thank an anonymous reviewer for QIP 2025 for pointing this out.

In the following definition, the notation $\adv^{\mathsf{Verify}(\sk,\cdot)}$ means that $\adv$ is given quantum query access to the function $(x,z)\mapsto\mathsf{Verify}(\sk,(x,z))$ .

Definition 1 (Quantum one-time authentication with strong unforgeability).

We say that a tuple of four polynomial-time algorithms $(\mathsf{AuthKeyGen},\mathsf{AuthTokenGen},\mathsf{Sign},\mathsf{Verify})$ is a quantum one-time authentication scheme with strong unforgeability if the following hold:³³3The notation $\secparam$ just means $\secpar$ repeated 1’s; we sometimes use $\secparam$ instead of $\secpar$ as the input to an algorithm because we want the algorithm to run in time that is polynomial in the size of the input.

•

(Correctness) $\mathsf{Verify}(\sk,(x,z))=1$ if $z\leftarrow\mathsf{Sign}(x,\ket{\mathsf{tk}})$ , $\ket{\mathsf{tk}}\leftarrow\mathsf{TokenGen}(\sk)$ , and $\sk\leftarrow\mathsf{AuthKeyGen}(\secparam)$ .

•

(One-time unforgeability) For any polynomial-time adversary $\adv$ ,

\Pr_{\begin{subarray}{c}(x_{1},z_{1},x_{2},z_{2})\leftarrow\adv^{\mathsf{% Verify}(\sk,\cdot)}(\ket{\mathsf{tk}})\\ \ket{\mathsf{tk}}\leftarrow\mathsf{AuthTokenGen}(\sk)\\ \sk\leftarrow\mathsf{AuthKeyGen}(\secparam)\end{subarray}}[\mathsf{Verify}(\sk% ,(x_{1},z_{1}))=\mathsf{Verify}(\sk,(x_{2},z_{2}))=1\text{ and }(x_{1},z_{1})% \neq(x_{2},z_{2})]=\negl.

Since (strongly unforgeable) one-time authentication schemes can be easily built from any (strongly unforgeable) one-time signature scheme by simply considering the public key to be part of the secret key, the results of [BS23, CLLZ21, CHV23, BKNY23] imply their existence. In fact, these results show the existence of information-theoretically secure quantum one-time authentication schemes — that is, these constructions are secure against computationally unbounded adversaries, as long as they are only allowed to make $\poly$ queries to $\mathsf{Verify}$ .

We describe one such scheme for single-bit messages now. The case for multi-bit messages works by simply using several single-bit schemes in parallel.

Construction 1 (Single-bit quantum one-time authentication from hidden subspace states, [BS23]).

The algorithms are defined as follows.

$\mathsf{AuthKeyGen}(\secparam)$

1.

Sample a uniformly random subspace $A\subseteq\mathbb{F}_{2}^{\secpar}$ of dimension $\secpar/2$ .
2.

Output $A$ .

$\mathsf{AuthTokenGen}(A)$

1.

Output $\ket{A}=2^{-\secpar/4}\sum_{a\in A}\ket{a}$ .

$\mathsf{Sign}(x,\ket{A})$

1.

If $x=0$ , measure $A$ in the standard basis and output the result.
2.

If $x=1$ , measure $A$ in the Hadamard basis and output the result.

$\mathsf{Verify}(A,(x,z))$

1.

If $z=0^{\secpar}$ , reject (output $\bot$ ).
2.

If $x=0$ and $z\in A$ , accept (output 1).
3.

If $x=1$ and $z\in A^{\perp}$ , accept (output 1).
4.

Otherwise, reject (output $\bot$ ).

Note that 1 is correct because

H^{\secpar}\ket{A}=2^{-\secpar/4}\sum_{\begin{subarray}{c}b\in\mathbb{F}_{2}^{% n}\\ b\cdot a=0\ \forall a\in A\end{subarray}}\ket{b}=\ket*{A^{\perp}}.

Security was proven in [BS23].

Theorem 1 (Adapted from Theorem 16 of [BS23]).

1 is an information-theoretically secure quantum one-time authentication scheme.

2.2 Our one-time program construction

Let $f$ be the program we wish to one-time protect. Our scheme works by publishing a program $\hat{P}$ which contains within it the description of $f$ . Crucially, this program will have the following properties:

•

$\hat{P}$ uses obfuscation so as not to reveal the code of $f$ ;
•

$\hat{P}$ will compute $f$ on any input, but only if the input is authenticated with a one-time authentication scheme; and
•

$\hat{P}$ suitably “mixes” the input, the authentication tag, and the output together in such a way that, if the output is measured, the input and authentication tag effectively collapse.

While the first property follows from our use of an oracle model, and the second property is by construction, the third will prove to be quite difficult to establish. The statement of this third property is formalized in Lemma 1, which allows us to prove the one-time security of our scheme.

Construction 2 (General-purpose one-time programs).

Let $f:\operatorname{\mathcal{X}}\times\operatorname{\mathcal{R}}\to\operatorname{% \mathcal{Y}}$ be the function to be one-time protected, described as a bit-string representing a classical circuit that computes $f$ . Let $\mathsf{Obf}$ be an obfuscation algorithm for classical circuits, and let $(\mathsf{AuthKeyGen},\mathsf{AuthTokenGen},\mathsf{Sign},\mathsf{Verify})$ be a quantum one-time authentication scheme as defined in Definition 1. Suppose that the one-time authentication scheme produces authentications of length $m$ for all messages $x\in\operatorname{\mathcal{X}}$ , and let $H:\operatorname{\mathcal{X}}\times\{0,1\}^{m}\to\operatorname{\mathcal{R}}$ be a random oracle.

Our one-time protection scheme is specified by the algorithms $\mathsf{KeyGen}$ , $\mathsf{TokenGen}$ , and $\mathsf{TokenEval}$ , defined as follows.

$\mathsf{KeyGen}(\secparam,f)$

1.

Sample $\sk\leftarrow\mathsf{AuthKeyGen}(\secparam)$ .
2.
Let $P:\operatorname{\mathcal{X}}\times\{0,1\}^{m}\to\operatorname{\mathcal{Y}}\cup% \{\bot\}$ be a classical circuit that does the following on input $(x,z)$ :
1. (a)
  
  Compute $\mathsf{Verify}(\sk,(x,z))$ . If it rejects, output the special “reject” symbol $\bot$ .
2. (b)
  
  Otherwise, output $f(x;H(x,z))$ .
3.

Compute the obfuscation $\hat{P}=\mathsf{Obf}(P)$ of $P$ .
4.

Output $(\sk,\hat{P})$ .

$\mathsf{TokenGen}(\sk)$

1.

Compute the one-time authentication token $\ket{\mathsf{tk}}\leftarrow\mathsf{AuthTokenGen}(\sk)$ .
2.

Output $\ket{\mathsf{tk}}$ as the one-time program token.

$\mathsf{TokenEval}(x,\ket*{\mathsf{tk}},\hat{P})$

1.

Compute $z\leftarrow\mathsf{Sign}(x,\ket*{\mathsf{tk}})$ .
2.

Compute $\hat{P}(x,z)$ and output the result.

After $\mathsf{KeyGen}$ is run, the obfuscated program $\hat{P}=\mathsf{Obf}(P)$ is published as a public key. Given a one-time program token $\ket{\mathsf{tk}}$ , together with this public key, a user can evaluate $f$ on any input $x$ of their choice.

3 Security

We formalize one-time security of our one-time program scheme with the following black-box one-time program game. Essentially, security says that once an adversary produces a measured output of $\hat{P}$ , the adversary cannot find new accepting inputs to $\hat{P}$ .

$\operatorname{\mathcal{G}}_{\mathrm{BB}\text{-}\mathrm{OTP}}(\ket{\psi},\hat{P})$ :
1.

The adversary is given $\ket{\psi}$ . The adversary is also given (quantum) oracle access to $\hat{P}$ . The adversary is allowed to access this oracle throughout the game.
2.
The adversary submits a quantum query to the challenger on register $\operatorname{\mathsf{Q}}$ . The challenger does the following:
1. (a)
  
  Compute $\hat{P}$ on $\operatorname{\mathsf{Q}}$ , placing the result of the computation onto a register $\operatorname{\mathsf{R}}$ .
2. (b)
  
  Measure $\operatorname{\mathsf{R}}$ , obtaining outcome $y$ .
3. (c)
  
  If $y=\bot$ , the game is aborted and the adversary loses.
4. (d)
  
  Otherwise, return $\operatorname{\mathsf{Q}}$ to the adversary.
3.
The adversary submits a quantum query to the challenger on register $\operatorname{\mathsf{Q}}$ . The challenger does the following:
1. (a)
  
  Compute $\hat{P}$ on $\operatorname{\mathsf{Q}}$ , placing the result of the computation onto a register $\operatorname{\mathsf{R}}$ .
2. (b)
  
  Measure $\operatorname{\mathsf{R}}$ , obtaining outcome $y^{\prime}$ .
4.

The adversary wins if $y^{\prime}\not\in\{y,\bot\}$ .

We say that a scheme is black-box one-time secure if no polynomial-time adversary can win $\operatorname{\mathcal{G}}_{\mathrm{BB}\text{-}\mathrm{OTP}}$ with inverse polynomial probability.

Definition 2 (One-time program).

A one-time program scheme consists of three polynomial-time algorithms $\mathsf{KeyGen}$ , $\mathsf{TokenGen}$ , and $\mathsf{TokenEval}$ . We say that it is black-box one-time secure for a function $f$ if, for all polynomial-time adversaries $\adv$ making at most $\poly$ quantum oracle queries,

\Pr_{\begin{subarray}{c}(\sk,\hat{P})\leftarrow\mathsf{KeyGen}(\secparam,f)\\ \ket{\mathsf{tk}}\leftarrow\mathsf{TokenGen}(\sk)\end{subarray}}[\adv^{\hat{P}% }\text{ wins }\operatorname{\mathcal{G}}_{\mathrm{BB}\text{-}\mathrm{OTP}}(% \ket{\mathsf{tk}},\hat{P})]=\negl.

We do not believe that this is the final say in definitions of one-time security, but we believe it is a useful starting point. The rest of this paper is devoted to proving the following theorem.

Theorem 2 (2 is one-time secure).

Suppose that, for every $x\in\operatorname{\mathcal{X}}$ , the min-entropy of $f(x;r)$ for random $r\leftarrow\operatorname{\mathcal{R}}$ is at least $\poly$ . Suppose further that the quantum one-time authentication scheme in 2 is secure. Then 2 is black-box one-time secure for $f$ .

Our proof of Theorem 2 will center on the notion of a collapsing hash function. The definition of a collapsing hash function is due to [Unr16]; informally, we say that $g$ is collapsing if measuring the output of $g$ collapses the input register from the perspective of any polynomial-time adversary.

Formally, let $g^{H}$ be a function that is computed by making calls to a random oracle $H$ . In this case we define collapsing with the following game.

$\operatorname{\mathcal{G}}_{\mathrm{Collapsing}}(b,g^{H})$ :
1.

The adversary is given a full description of $g$ and oracle access to $H$ .
2.

The adversary sends the challenger a query on register $\operatorname{\mathsf{Q}}$ .
3.

The challenger computes $g^{H}$ on register $\operatorname{\mathsf{Q}}$ and measures the outcome. If $b=1$ , the challenger measures $\operatorname{\mathsf{Q}}$ as well.
4.

The challenger returns $\operatorname{\mathsf{Q}}$ to the adversary.
5.

The adversary outputs a bit $b^{\prime}$ .

Definition 3 (Collapsing hash function [Unr16]).

Let $g^{H}$ be a function that is computed by making calls to a random oracle $H$ . We say that $g^{H}$ is collapsing if, for all adversaries $\adv$ making at most $\poly$ quantum oracle queries to $H$ ,

\Pr_{\begin{subarray}{c}H\\ b\leftarrow\{0,1\}\end{subarray}}[\adv^{H}\text{ outputs }b^{\prime}=b\text{ % in }\operatorname{\mathcal{G}}_{\mathrm{Collapsing}}(b,g^{H})]\leq\frac{1}{2}+\negl.

The key idea in our proof of Theorem 2 is to show that the function $g:x\mapsto f(x;H(x))$ is collapsing if $H$ is a random function and $f$ has significant min-entropy for every $x$ . This is stated as Lemma 1.

Lemma 1.

Let $f:\{0,1\}^{m}\times\{0,1\}^{n}\to\operatorname{\mathcal{Y}}$ . Suppose that for all $x\in\{0,1\}^{m}$ , the min-entropy of $f(x;r)$ for random $r\leftarrow\{0,1\}^{n}$ is at least $\tau$ . Then if $H:\{0,1\}^{m}\to\{0,1\}^{n}$ is a random oracle, the function $g^{H}:x\mapsto f(x;H(x))$ is collapsing with advantage $O(q^{3}\cdot 2^{-\tau})$ .

We will use the compressed oracles technique of [Zha19] to prove Lemma 1 in Section 3.2. This proof is somewhat involved, so before we present it we will show in Section 3.1 that random oracles are collapsing as a warm-up. The proof of Lemma 1 is essentially identical, except that the components need to be updated.

Once we have Lemma 1, Theorem 2 will follow immediately, as we will now see.

Proof of Theorem 2.

Suppose that an adversary $\adv$ making $\poly$ many oracle queries satisfies

\Pr_{\begin{subarray}{c}(\sk,\hat{P})\leftarrow\mathsf{KeyGen}(\secparam,f)\\ \ket{\mathsf{tk}}\leftarrow\mathsf{TokenGen}(\sk)\end{subarray}}[\adv^{\hat{P}% }\text{ wins }\operatorname{\mathcal{G}}_{\mathrm{BB}\text{-}\mathrm{OTP}}(% \ket{\mathsf{tk}},\hat{P})]=\varepsilon

for some $\varepsilon>0$ . We will use Lemma 1 to give a reduction $\operatorname{\mathcal{R}}$ making $\poly$ many queries to $\mathsf{Verify}$ such that

\Pr_{\begin{subarray}{c}\sk\leftarrow\mathsf{AuthKeyGen}(\secparam)\\ \ket{\mathsf{tk}}\leftarrow\mathsf{AuthTokenGen}(\sk)\end{subarray}}[% \operatorname{\mathcal{R}}^{\mathsf{Verify}}\text{ wins }\operatorname{% \mathcal{G}}_{\mathrm{Auth}}(\ket{\mathsf{tk}})]\geq\varepsilon-\negl,

which will complete the proof.

The reduction behaves as follows.

$\operatorname{\mathcal{R}}$ :
1.

Receive $\ket{\mathsf{tk}}$ from the challenger and forward it to $\adv$ . Every time the adversary makes a query to $P$ , use the oracle access to $\mathsf{Verify}(\sk,\cdot)$ to compute the response.
2.

Receive $\operatorname{\mathsf{Q}}$ from the adversary. Measure $\operatorname{\mathsf{Q}}$ , obtaining outcome $(x_{1},z_{1})$ ; return the collapsed register $\operatorname{\mathsf{Q}}$ to the adversary.
3.

Receive $\operatorname{\mathsf{Q}}$ from the adversary again. Measure $\operatorname{\mathsf{Q}}$ , obtaining outcome $(x_{2},z_{2})$ .
4.

Output $(x_{1},z_{1},x_{2},z_{2})$ .

The only thing that’s different about the adversary’s view in $\operatorname{\mathcal{G}}_{\mathrm{BB}\text{-}\mathrm{OTP}}$ and in the game with $\operatorname{\mathcal{R}}$ is that $\operatorname{\mathsf{Q}}$ is measured in the game with $\operatorname{\mathcal{R}}$ . But by Lemma 1, this is indistinguishable to the adversary!

Now observe that if $\adv$ wins $\operatorname{\mathcal{G}}_{\mathrm{BB}\text{-}\mathrm{OTP}}$ , then $\operatorname{\mathcal{R}}$ breaks the one-time unforgeability of the one-time authentication scheme $(\mathsf{AuthKeyGen},\mathsf{AuthTokenGen},\mathsf{Sign},\mathsf{Verify})$ . This is because $y\neq y^{\prime}$ both must not be $\bot$ , which means that $\mathsf{Verify}(\sk,(x_{1},z_{1}))=\mathsf{Verify}(\sk,(x_{2},z_{2}))=1$ and $(x_{1},z_{1})\neq(x_{2},z_{2})$ . This completes the proof. ∎

It only remains to prove Lemma 1.

3.1 Warm-up: Random oracles are collapsing

As a warm-up to proving Lemma 1, we use the compressed oracles technique to present a direct proof that random oracles are collapsing. It is already known that random oracles are collapsing by a proof of [Unr16], but that proof makes use of multiple lemmas that are proven using the compressed oracle technique — here, we prove the result directly using this technique.

Proposition 1.

A random oracle $R:\{0,1\}^{m}\to\{0,1\}^{n}$ is collapsing with advantage $O(q^{3}/2^{n})$ , where $q$ is the number of queries made by the adversary.

Proof.

We use the compressed oracle technique due to [Zha19], and we define $\mathsf{CPhsO},\mathsf{CPhsO}^{\prime}$ and the notation for compressed oracle databases as in that paper. Suppose that the adversary makes $q_{0}$ queries before the challenge query and $q_{1}$ queries after. Depending on whether or not the challenger records the challenge query input, the state just after the challenge query is

\sum_{D,x}\alpha_{D,x}\ket{\psi_{D,x}}\otimes\ket{x}\otimes\ket{D,D(x)}

\sum_{D,x}\alpha_{D,x}\ket{\psi_{D,x}}\otimes\ket{x}\otimes\ket{D,D(x),x}.

Here, the first register contains the adversary’s state; the second is the query register; the third is the database register; and the fourth and fifth are the registers into which the challenger records the challenge query output and (in the second case) input.

Next, the adversary makes $q_{1}$ further queries to $\mathsf{CPhsO}$ . Let $U$ be the unitary describing the evolution of the game state under these queries.

Let $\mathsf{Invert}$ be the unitary that reads $\ket{D,y}$ and writes the lexicographically first $x$ such that $(x,y)\in D$ onto a new register, if there is any such $x$ . This function is almost identical to $\mathsf{FindInput}$ from [Zha19]; one can compute either of $\mathsf{Invert}$ or $\mathsf{FindInput}$ with one call to the other.

Our proof strategy is to show that applying $\mathsf{Invert}$ to $\ket{D,D(x)}$ at the end of the game in the $b=0$ case yields the state in the $b=1$ case. Since $\mathsf{Invert}$ is applied only to the challenger’s side, this will complete the proof.

Since $\mathsf{Invert}$ commutes with $\mathsf{CPhsO}^{\prime}$ , [Zha19, Lemma 7] implies that $\mathsf{Invert}$ $O(1/2^{n})$ -almost commutes with $\mathsf{CPhsO}$ . Therefore

\norm{\mathsf{Invert}\circ U\sum_{D,x}\alpha_{D,x}\ket{\psi_{D,x}}\otimes\ket{% x,D,D(x)}-U\circ\mathsf{Invert}\sum_{D,x}\alpha_{D,x}\ket{\psi_{D,x}}\otimes% \ket{x,D,D(x)}}=O\left(q/\sqrt{2^{n}}\right).

By [Zha19, Theorem 2], the mass on branches $D$ with collisions is at most $O(\sqrt{q^{3}/2^{n}})$ in the state on the right, so:

\norm{U\circ\mathsf{Invert}\sum_{D,x}\alpha_{D,x}\ket{\psi_{D,x}}\otimes\ket{x% ,D,D(x)}-U\sum_{D,x}\alpha_{D,x}\ket{\psi_{D,x}}\otimes\ket{x,D,D(x),x}}=O% \left(\sqrt{q^{3}/2^{n}}\right).

Putting it together, we have

\norm{\mathsf{Invert}\circ U\sum_{D,x}\alpha_{D,x}\ket{\psi_{D,x}}\otimes\ket{% x,D,D(x)}-U\sum_{D,x}\alpha_{D,x}\ket{\psi_{D,x}}\otimes\ket{x,D,D(x),x}}=O% \left(\sqrt{q^{3}/2^{n}}\right),

completing the proof. ∎

3.2 Proof of Lemma 1

In this section we will prove Lemma 1, which we reproduce below.

Lemma 1.

Let $f:\{0,1\}^{m}\times\{0,1\}^{n}\to\operatorname{\mathcal{Y}}$ . Suppose that for all $x\in\{0,1\}^{m}$ , the min-entropy of $f(x;r)$ for random $r\leftarrow\{0,1\}^{n}$ is at least $\tau$ . Then if $H:\{0,1\}^{m}\to\{0,1\}^{n}$ is a random oracle, the function $g:x\mapsto f(x;H(x))$ is collapsing with advantage $O(q^{3}\cdot 2^{-\tau})$ .

Proof.

We will follow the same proof strategy as Proposition 1, except that we will need to generalize the components to handle the case where the high-entropy function $f$ is applied to the random oracle output. We give our generalizations of [Zha19, Lemma 7] and [Zha19, Theorem 2] in 2 and 1, respectively.

Suppose that the adversary makes $q_{0}$ queries before the challenge query and $q_{1}$ queries after. Depending on whether or not the challenger records the challenge query input, the state just after the challenge query is

\sum_{D,x}\alpha_{D,x}\ket{\psi_{D,x}}\otimes\ket{x}\otimes\ket{D,f(x;D(x))}

\sum_{D,x}\alpha_{D,x}\ket{\psi_{D,x}}\otimes\ket{x}\otimes\ket{D,f(x;D(x)),x}.

The first register contains the adversary’s state; the second is the query register; the third is the database register; and the fourth and fifth are the registers into which the challenger records the challenge query output and (in the second case) input.

Next, the adversary makes $q_{1}$ further queries to $\mathsf{CPhsO}$ . Let $U$ be the unitary describing the evolution of the game state under these queries.

Let $\mathsf{Invert}_{f}$ be the unitary that, given $D,y$ , writes the lexicographically first $x$ such that $f(x;D(x))=y$ onto a new register, if such an $x$ exists. Our proof strategy is to show that applying $\mathsf{Invert}_{f}$ to $\ket{D,f(x;D(x))}$ at the end of the game in the $b=0$ case yields the state in the $b=1$ case. Since $\mathsf{Invert}_{f}$ is applied only to the challenger’s side, this will complete the proof.

By 2,

	$\displaystyle\Biggl{\|}\!\Biggl{\|}\mathsf{Invert}_{f}\circ U\sum_{D,x}\alpha_{D% ,x}\ket{\psi_{D,x}}\otimes\ket{x,D,f(x;D(x))}$
	$\displaystyle-U\circ\mathsf{Invert}_{f}\sum_{D,x}\alpha_{D,x}\ket{\psi_{D,x}}% \otimes\ket{x,D,f(x;D(x))}\Biggr{\|}\!\Biggr{\|}$	$\displaystyle=O\left(q/\sqrt{2^{\tau}}\right).$

By 1, the mass on branches $D$ with collisions $f(x;D(x))=f(x^{\prime};D(x^{\prime}))$ is at most $O(\sqrt{q^{3}/2^{\tau}})$ in the state on the right, so

	$\displaystyle\Biggl{\|}\!\Biggl{\|}U\circ\mathsf{Invert}_{f}\sum_{D,x}\alpha_{D,% x}\ket{\psi_{D,x}}\otimes\ket{x,D,f(x;D(x))}$
	$\displaystyle-U\sum_{D,x}\alpha_{D,x}\ket{\psi_{D,x}}\otimes\ket{x,D,f(x;D(x))% ,x}\Biggr{\|}\!\Biggr{\|}$	$\displaystyle=O\left(\sqrt{q^{3}/2^{\tau}}\right).$

Putting it together, we have

	$\displaystyle\Biggl{\|}\!\Biggl{\|}\mathsf{Invert}_{f}\circ U\sum_{D,x}\alpha_{D% ,x}\ket{\psi_{D,x}}\otimes\ket{x,D,f(x;D(x))}$
	$\displaystyle-U\sum_{D,x}\alpha_{D,x}\ket{\psi_{D,x}}\otimes\ket{x,D,f(x;D(x))% ,x}\Biggr{\|}\!\Biggr{\|}$	$\displaystyle=O\left(\sqrt{q^{3}/2^{\tau}}\right),$

completing the proof. ∎

We need a generalization of Theorem 2 from [Zha19].

Claim 1.

For any adversary making $q$ queries to $\mathsf{CPhsO}$ , if the database $D$ is measured after the $q$ queries, the resulting database will contain distinct inputs $x,x^{\prime}$ such that $f(x;D(x))=f(x^{\prime};D(x^{\prime}))$ with probability at most $O(q^{3}/2^{\tau})$ .

Proof.

We closely follow the proof of Theorem 2 from [Zha19].

We say that $D$ contains an $f$ -collision if it contains distinct inputs $x,x^{\prime}$ such that $f(x;D(x))=f(x^{\prime};D(x^{\prime}))$ . The compressed oracle’s database starts out empty, so the probability of containing an $f$ -collision starts out as 0. We will show that the probability cannot rise too much with each query. Consider the game state just before the $q$ th query:

\ket{\psi}=\sum_{x,w,z,D}\alpha_{x,w,D}\ket{x,w,z}\otimes\ket{D},

where $D$ is the compressed phase oracle, $x,w$ are the query registers, and $z$ is the adversary’s internal register.

Let $P$ be the projection onto the span of basis states $\ket{x,w,z}\otimes\ket{D}$ where $D$ contains an $f$ -collision. We will relate $\norm{P\ket{\psi}}$ to $\norm{P\circ\mathsf{CPhsO}\ket{\psi}}$ .

Let $Q$ be the projection onto the span of basis states $\ket{x,w,z}\otimes\ket{D}$ such that $D$ does not contain an $f$ -collision, $w\neq 0$ , and $D(x)=\bot$ . Let $R$ be the projection onto the span of states such that $D$ does not contain an $f$ -collision, $w\neq 0$ , and $D(x)\neq\bot$ . Let $S$ be the projection onto the span of states such that $D$ does not contain an $f$ -collision and $w=0$ . Observe that $P+Q+R+S=I$ .

Applying $P\circ\mathsf{CPhsO}$ to any state $\sum_{x,w,z,D}\alpha_{x,w,z,D}\ket{x,w,z}\otimes\ket{D}$ in the support of $Q$ yields

\sum_{x,w,z,D}\alpha_{x,w,z,D}\ket{x,w,z}\otimes 2^{-n/2}\sum_{r:\exists(x^{% \prime},r^{\prime})\in D\text{ s.t. }f(x;r)=f(x^{\prime};r^{\prime})}(-1)^{w% \cdot r}\ket{D\cup(x,r)}.

Let $\ket{D}=\ket{(x_{1},r_{1}),\dots,(x_{q^{\prime}},r_{q^{\prime}})}$ , where $q^{\prime}\leq q$ . We can then write the above state as $2^{-n/2}\sum_{i=1}^{q}\ket{\phi_{i}}$ , where

\ket{\phi_{i}}=\sum_{x,w,z,D}\alpha_{x,w,z,D}\ket{x,w,z}\otimes\sum_{r:f(x;r)=% f(x_{i};r_{i})}(-1)^{w\cdot r}\ket{D\cup(x,r)}.

The $\ket{\phi_{i}}$ are orthogonal and satisfy $\norm{\ket{\phi_{i}}}\leq\sqrt{2^{n-\tau}}\norm{Q\ket{\psi}}$ , because there are at most $2^{n-\tau}$ choices of $r$ satisfying $f(x;r)=f(x_{i};r_{i})$ due to the min-entropy condition on $f$ . Therefore, $\norm{P\circ\mathsf{CPhsO}\circ Q\ket{\psi}}\leq\sqrt{q/2^{\tau}}\norm{Q\ket{% \psi}}$ .

For states $R\ket{\psi}=\sum_{x,w,z,D}\alpha_{x,w,z,D}\ket{x,w,z}\otimes\ket{D}$ in the support of $R$ , let $D^{\prime}$ be $D$ with $x$ removed and write $D=D^{\prime}\cup(x,r)$ for $r=D(x)$ . Then $\mathsf{CPhsO}\ket{x,w,z}\otimes\ket{D}$ is

\ket{x,w,z}\otimes\left((-1)^{w\cdot r}\left(\ket{D^{\prime}\cup(x,r)}+\frac{1% }{\sqrt{2^{n}}}\ket{D^{\prime}}\right)+\frac{1}{2^{n}}\sum_{r^{\prime}}(1-(-1)% ^{w\cdot r}-(-1)^{w\cdot r^{\prime}})\ket{D^{\prime}\cup(x,r^{\prime})}\right),

P\circ\mathsf{CPhsO}\circ R\ket{\psi}=\sum_{x,w,z,D^{\prime},r}\alpha_{x,w,z,D% ^{\prime},r}\ket{x,w,z}\otimes\frac{1}{2^{n}}\sum_{r^{\prime}:\exists(x^{% \prime\prime},r^{\prime\prime})\in D\text{ s.t. }f(x;r^{\prime})=f(x^{\prime% \prime};r^{\prime\prime})}(1-(-1)^{w\cdot r}-(-1)^{w\cdot r^{\prime}})\ket{D^{% \prime}\cup(x,r^{\prime})}.

Let $\ket{D^{\prime}}=\ket{(x_{1},r_{1}),\dots,(x_{q^{\prime}},r_{q^{\prime}})}$ and

\ket{\phi_{i}}=\frac{1}{2^{n}}\sum_{x,w,z,D^{\prime},r}\alpha_{x,w,z,D^{\prime% },r}\ket{x,w,z}\otimes\sum_{r^{\prime}:f(x;r^{\prime})=f(x_{i};r_{i})}(1-(-1)^% {w\cdot r}-(-1)^{w\cdot r^{\prime}})\ket{D^{\prime}\cup(x,r^{\prime})}.

Then the $\ket{\phi_{i}}$ are orthogonal and

	$\displaystyle\norm{\ket{\phi_{i}}}^{2}$	$\displaystyle=\frac{1}{4^{n}}\sum_{x,w,z,D^{\prime},r^{\prime}:f(x;r^{\prime})% =f(x_{i};r_{i})}\absolutevalue{\sum_{r}\alpha_{x,w,z,D^{\prime},r}(1-(-1)^{w% \cdot r}-(-1)^{w\cdot r^{\prime}})}^{2}$
		$\displaystyle\leq\frac{3}{2^{n}}\sum_{x,w,z,D^{\prime},r,r^{\prime}:f(x;r^{% \prime})=f(x_{i};r_{i})}\absolutevalue{\alpha_{x,w,z,D^{\prime},r}}^{2}$
		$\displaystyle\leq\frac{3}{2^{\tau}}\norm{R\ket{\psi}}^{2},$

so $\norm{P\circ\mathsf{CPhsO}\circ R\ket{\psi}}\leq\sqrt{3q/2^{\tau}}\norm{R\ket{% \psi}}$ .

Finally, $\norm{P\circ\mathsf{CPhsO}\circ P\ket{\psi}}\leq\norm{P\ket{\psi}}$ and $\mathsf{CPhsO}\circ S\ket{\psi}=S\ket{\psi}$ . Putting everything together, $\norm{P\ket{\psi}}$ increases by at most $O(\sqrt{q/2^{n}})$ with each query. Therefore, after $q$ queries, the total norm of $P\ket{\psi}$ is at most $O(\sqrt{q^{3}/2^{n}})$ , completing the proof. ∎

The following is similar to Lemma 7 from [Zha19].

Claim 2.

Consider a quantum system over $x,w,D,y$ . Let $f$ be a function such that for every $x$ , for uniformly random $r=D(x)$ , $f(x;r)$ has min-entropy at least $\tau$ . Then the following unitaries $O(1/\sqrt{2^{\tau}})$ -almost commute:

•

$\mathsf{CPhsO}$ , acting on the $x,w,D$ registers.
•

$\mathsf{Invert}_{f}$ , taking as input the $D,y$ registers and XORing the output onto a new register.

Proof.

Recall the definitions of $\mathsf{CPhsO}^{\prime},\mathsf{StdDecomp}$ , and $\mathsf{Increase}$ from [Zha19]. In particular, recall that $\mathsf{CPhsO}=\mathsf{StdDecomp}\circ\mathsf{CPhsO}^{\prime}\circ\mathsf{% StdDecomp}\circ\mathsf{Increase}$ . Since $\mathsf{Invert}_{f}$ commutes with $\mathsf{CPhsO}^{\prime}$ and $\mathsf{Increase}$ by construction, it suffices to show that $\mathsf{Invert}_{f}$ and $\mathsf{StdDecomp}$ are $O(1/\sqrt{2^{\tau}})$ -almost commuting. To show this, the following intuition is taken from [Zha19], adapted to our setting.

For $\mathsf{StdDecomp}$ to have any effect, either (1) $D(x)=\bot$ or (2) $D(x)$ is in uniform superposition; $\mathsf{StdDecomp}$ will simply toggle between the two cases. In Case (2), the probability that $\mathsf{Invert}_{f}$ will find a match at input $x$ is at most $2^{-\tau}$ . And in Case (1), $\mathsf{Invert}_{f}$ will never find a match at input $x$ . Hence, there is an exponentially small error between the action of $\mathsf{Invert}_{f}$ on these two cases.

More formally, let $\ket{\psi}=\sum_{x,D,y}\alpha_{x,D,y}\ket{x,D,y}$ . We omit the $w$ register because neither $\mathsf{StdDecomp}$ nor $\mathsf{Invert}_{f}$ touch $w$ . Let $P$ be the projection onto $D(x)=\bot$ , and let $Q$ be the projection onto $D(x)=\ket{+}$ . Writing $D=D^{\prime}\cup(x,\bot)$ ,

\mathsf{StdDecomp}\circ\mathsf{Invert}_{f}\circ P\ket{\psi}=2^{-n/2}\sum_{x,D^% {\prime},y,r}\alpha_{x,D^{\prime},y}\ket{x,D^{\prime}\cup(x,r),y,\mathsf{% Invert}_{f}(D^{\prime},y)}

and

\mathsf{Invert}_{f}\circ\mathsf{StdDecomp}\circ P\ket{\psi}=2^{-n/2}\sum_{x,D^% {\prime},y,r}\alpha_{x,D^{\prime},y}\ket{x,D^{\prime}\cup(x,r),y,\mathsf{% Invert}_{f}(D^{\prime}\cup(x,r),y)},

where $\mathsf{Invert}_{f}(D,y)$ outputs the lexicographically first $x$ such that $f(x,D(x))=y$ , if such an $x$ exists. Letting $\Delta:=\mathsf{StdDecomp}\circ\mathsf{Invert}_{f}-\mathsf{Invert}_{f}\circ% \mathsf{StdDecomp}$ , we have

\Delta\circ P\ket{\psi}=2^{-n/2}\sum_{x,D^{\prime},y,r}\alpha_{x,D^{\prime},y}% \ket{x,D^{\prime}\cup(x,r),y}\otimes\left(\ket{\mathsf{Invert}_{f}(D^{\prime},% y)}-\ket{\mathsf{Invert}_{f}(D^{\prime}\cup(x,r),y)}\right),

and

	$\displaystyle\norm{\Delta\circ P\ket{\psi}}^{2}$	$\displaystyle=2^{-n}\sum_{x,D^{\prime},y,r}\absolutevalue{\alpha_{x,D^{\prime}% ,y}}^{2}\left(2-2\cdot 1\{\mathsf{Invert}_{f}(D^{\prime},y)=\mathsf{Invert}_{f% }(D^{\prime}\cup(x,r),y)\}\right)$
		$\displaystyle=2\norm{P\ket{\psi}}^{2}-2\sum_{x,D^{\prime},y}\absolutevalue{% \alpha_{x,D^{\prime},y}}^{2}\Pr_{r}[\mathsf{Invert}_{f}(D^{\prime},y)=\mathsf{% Invert}_{f}(D^{\prime}\cup(x,r),y)]$
		$\displaystyle\leq\frac{2}{2^{\tau}}\norm{P\ket{\psi}}^{2},$

since $\Pr_{r}[\mathsf{Invert}_{f}(D^{\prime},y)=\mathsf{Invert}_{f}(D^{\prime}\cup(x% ,r),y)]\geq 1-2^{-\tau}$ .

Similarly, $\norm{\Delta\circ Q\ket{\psi}}^{2}\leq 2\cdot 2^{-\tau}\norm{Q\ket{\psi}}^{2}$ . Since $\Delta\circ(I-P-Q)=0$ , it follows that $\norm{\Delta\ket{\psi}}=O(1/\sqrt{2^{\tau}})$ . ∎

References

[Aar09] Scott Aaronson. Quantum copy-protection and quantum money. In 2009 24th Annual IEEE Conference on Computational Complexity, pages 229–242. IEEE, 2009.
[AB24] Prabhanjan Ananth and Amit Behera. A modular approach to unclonable cryptography. In Leonid Reyzin and Douglas Stebila, editors, Advances in Cryptology - CRYPTO 2024 - 44th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 2024, Proceedings, Part VII, volume 14926 of Lecture Notes in Computer Science, pages 3–37. Springer, 2024.
[ALL⁺21] Scott Aaronson, Jiahui Liu, Qipeng Liu, Mark Zhandry, and Ruizhe Zhang. New approaches for quantum copy-protection. In Tal Malkin and Chris Peikert, editors, Advances in Cryptology - CRYPTO 2021 - 41st Annual International Cryptology Conference, CRYPTO 2021, Virtual Event, August 16-20, 2021, Proceedings, Part I, volume 12825 of Lecture Notes in Computer Science, pages 526–555. Springer, 2021.
[AP21] Prabhanjan Ananth and Rolando L. La Placa. Secure software leasing. In Anne Canteaut and François-Xavier Standaert, editors, Advances in Cryptology - EUROCRYPT 2021 - 40th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Zagreb, Croatia, October 17-21, 2021, Proceedings, Part II, volume 12697 of Lecture Notes in Computer Science, pages 501–530. Springer, 2021.
[BB14] Charles H Bennett and Gilles Brassard. Quantum cryptography: Public key distribution and coin tossing. Theoretical computer science, 560:7–11, 2014.
[BGS13] Anne Broadbent, Gus Gutoski, and Douglas Stebila. Quantum one-time programs. IACR Cryptol. ePrint Arch., page 343, 2013.
[BI20] Anne Broadbent and Rabib Islam. Quantum encryption with certified deletion. In Rafael Pass and Krzysztof Pietrzak, editors, Theory of Cryptography - 18th International Conference, TCC 2020, Durham, NC, USA, November 16-19, 2020, Proceedings, Part III, volume 12552 of Lecture Notes in Computer Science, pages 92–122. Springer, 2020.
[BS23] Shalev Ben-David and Or Sattath. Quantum tokens for digital signatures. Quantum, 7:901, 2023.
[CG24] Andrea Coladangelo and Sam Gunn. How to use quantum indistinguishability obfuscation. In Bojan Mohar, Igor Shinkar, and Ryan O’Donnell, editors, Proceedings of the 56th Annual ACM Symposium on Theory of Computing, STOC 2024, Vancouver, BC, Canada, June 24-28, 2024, pages 1003–1008. ACM, 2024.
[CHV23] Céline Chevalier, Paul Hermouet, and Quoc-Huy Vu. Semi-quantum copy-protection and more. In Guy N. Rothblum and Hoeteck Wee, editors, Theory of Cryptography - 21st International Conference, TCC 2023, Taipei, Taiwan, November 29 - December 2, 2023, Proceedings, Part IV, volume 14372 of Lecture Notes in Computer Science, pages 155–182. Springer, 2023.
[CLLZ21] Andrea Coladangelo, Jiahui Liu, Qipeng Liu, and Mark Zhandry. Hidden cosets and applications to unclonable cryptography. In Tal Malkin and Chris Peikert, editors, Advances in Cryptology - CRYPTO 2021 - 41st Annual International Cryptology Conference, CRYPTO 2021, Virtual Event, August 16-20, 2021, Proceedings, Part I, volume 12825 of Lecture Notes in Computer Science, pages 556–584. Springer, 2021.
[GKR08] Shafi Goldwasser, Yael Tauman Kalai, and Guy N. Rothblum. One-time programs. In David A. Wagner, editor, Advances in Cryptology - CRYPTO 2008, 28th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 17-21, 2008. Proceedings, volume 5157 of Lecture Notes in Computer Science, pages 39–56. Springer, 2008.
[GLR⁺24] Aparna Gupte, Jiahui Liu, Justin Raizes, Bhaskar Roberts, and Vinod Vaikuntanathan. Quantum one-time programs, revisited. CoRR, 2024.
[LLQZ22] Jiahui Liu, Qipeng Liu, Luowen Qian, and Mark Zhandry. Collusion resistant copy-protection for watermarkable functionalities. In Eike Kiltz and Vinod Vaikuntanathan, editors, Theory of Cryptography - 20th International Conference, TCC 2022, Chicago, IL, USA, November 7-10, 2022, Proceedings, Part I, volume 13747 of Lecture Notes in Computer Science, pages 294–323. Springer, 2022.
[Shm22] Omri Shmueli. Semi-quantum tokenized signatures. In Yevgeniy Dodis and Thomas Shrimpton, editors, Advances in Cryptology - CRYPTO 2022 - 42nd Annual International Cryptology Conference, CRYPTO 2022, Santa Barbara, CA, USA, August 15-18, 2022, Proceedings, Part I, volume 13507 of Lecture Notes in Computer Science, pages 296–319. Springer, 2022.
[Unr16] Dominique Unruh. Computationally binding quantum commitments. In Marc Fischlin and Jean-Sébastien Coron, editors, Advances in Cryptology - EUROCRYPT 2016 - 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8-12, 2016, Proceedings, Part II, volume 9666 of Lecture Notes in Computer Science, pages 497–527. Springer, 2016.
[Wie83] Stephen Wiesner. Conjugate coding. ACM Sigact News, 15(1):78–88, 1983.
[Zha19] Mark Zhandry. How to record quantum queries, and applications to quantum indifferentiability. In Alexandra Boldyreva and Daniele Micciancio, editors, Advances in Cryptology - CRYPTO 2019 - 39th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 2019, Proceedings, Part II, volume 11693 of Lecture Notes in Computer Science, pages 239–268. Springer, 2019.

Quantum One-Time Protection of any Randomized Algorithm

Abstract

1 Introduction

Improving Solution (1) with copy protection.

Improving Solution (2) with one-time programs.

This work.

Prior and concurrent work on one-time programs.

Removing quantum communication.

2 The construction

2.1 One-time authentication with strong unforgeability

Remark.

Definition 1 (Quantum one-time authentication with strong unforgeability).

Construction 1 (Single-bit quantum one-time authentication from hidden subspace states, [BS23]).

𝖠𝗎𝗍𝗁𝖪𝖾𝗒𝖦𝖾𝗇⁢(\secparam)𝖠𝗎𝗍𝗁𝖪𝖾𝗒𝖦𝖾𝗇\secparam\mathsf{AuthKeyGen}(\secparam)sansserif_AuthKeyGen ( )

𝖠𝗎𝗍𝗁𝖳𝗈𝗄𝖾𝗇𝖦𝖾𝗇⁢(A)𝖠𝗎𝗍𝗁𝖳𝗈𝗄𝖾𝗇𝖦𝖾𝗇𝐴\mathsf{AuthTokenGen}(A)sansserif_AuthTokenGen ( italic_A )

𝖲𝗂𝗀𝗇⁢(x,|A⟩)𝖲𝗂𝗀𝗇𝑥ket𝐴\mathsf{Sign}(x,\ket{A})sansserif_Sign ( italic_x , | start_ARG italic_A end_ARG ⟩ )

𝖵𝖾𝗋𝗂𝖿𝗒⁢(A,(x,z))𝖵𝖾𝗋𝗂𝖿𝗒𝐴𝑥𝑧\mathsf{Verify}(A,(x,z))sansserif_Verify ( italic_A , ( italic_x , italic_z ) )

Theorem 1 (Adapted from Theorem 16 of [BS23]).

2.2 Our one-time program construction

Construction 2 (General-purpose one-time programs).

𝖪𝖾𝗒𝖦𝖾𝗇⁢(\secparam,f)𝖪𝖾𝗒𝖦𝖾𝗇\secparam𝑓\mathsf{KeyGen}(\secparam,f)sansserif_KeyGen ( , italic_f )

𝖳𝗈𝗄𝖾𝗇𝖦𝖾𝗇⁢(\sk)𝖳𝗈𝗄𝖾𝗇𝖦𝖾𝗇\sk\mathsf{TokenGen}(\sk)sansserif_TokenGen ( )

𝖳𝗈𝗄𝖾𝗇𝖤𝗏𝖺𝗅⁢(x,|𝗍𝗄⟩,P^)𝖳𝗈𝗄𝖾𝗇𝖤𝗏𝖺𝗅𝑥ket𝗍𝗄^𝑃\mathsf{TokenEval}(x,\ket*{\mathsf{tk}},\hat{P})sansserif_TokenEval ( italic_x , | start_ARG sansserif_tk end_ARG ⟩ , over^ start_ARG italic_P end_ARG )

3 Security

Definition 2 (One-time program).

Theorem 2 (2 is one-time secure).

Definition 3 (Collapsing hash function [Unr16]).

Lemma 1.

Proof of Theorem 2.

3.1 Warm-up: Random oracles are collapsing

Proposition 1.

Proof.

3.2 Proof of Lemma 1

Lemma 1.

Proof.

Claim 1.

Proof.

Claim 2.

Proof.

References

$\mathsf{AuthKeyGen}(\secparam)$

$\mathsf{AuthTokenGen}(A)$

$\mathsf{Sign}(x,\ket{A})$

$\mathsf{Verify}(A,(x,z))$

$\mathsf{KeyGen}(\secparam,f)$

$\mathsf{TokenGen}(\sk)$

$\mathsf{TokenEval}(x,\ket*{\mathsf{tk}},\hat{P})$