 Hello, my name is Prabhanjan Anand from UC Santa Barbara and I'm going to talk about Secure Software Leasing. This is a joint work with Rolando La Placa. So the no cloning theorem of quantum mechanics states that there does not exist a universal cloner that given an input, a quantum state and it outputs two copies of the same quantum state. In other words, it says that if I give you an arbitrary quantum state, you will not be able to copy this quantum state. While no cloning theorem might come across as a limitation of quantum mechanics, the principle of no cloning is the basis for many interesting cryptography primitives. Let us look at some examples. In 1983, Weisner came up with this brilliant idea of associating money with quantum states in such a way that an adversary will not be able to produce many copies of this money state. This principle has also been studied in the context of introduction schemes. You can associate ciphertexts with quantum states in such a way that you cannot produce two ciphertexts that both decrypt the same message as the original ciphertext. This concept has also been studied in the context of signatures. So finally, the no cloning principle has been useful for preventing software piracy. The notion that studied this is called quantum copy protection, which was first introduced by Ironson. This notion of quantum copy protection is going to be the main focus of this talk. Let us try to understand this problem. You have software vendor who is selling their software that they manufactured. You want to make sure that the users who are buying the software are not illegally distributing this for their own profit. This is the problem we want to solve. It turns out that classical technology is not very useful to solve this problem. The reason being that if you represent software as binary strengths, this can always be copied. It is unclear how to solve this problem. The natural question is whether we can use the no cloning theorem to solve this. We can use the no cloning principle to solve this problem. Ironson introduced the notion of quantum copy protection to precisely address this problem. Let us see what quantum copy protection is. Let us consider a specific example. Let us say there is a Microsoft who wants to sell their software. Let us say the software is represented as a circuit C. What Microsoft does is it compiles C into a quantum state denoted by rho C. It sends rho C along with an evaluation algorithm to the user. We want the guarantee that if you run the evaluation algorithm on rho C and any input x, you would get the same result if you evaluate C on x. In other words, the functionality is preserved even after you do this compilation process. In terms of security, what we want is suppose there is a user who has gone rogue. He gets this compiled software from Microsoft. He tries to create two copies of the software in such a way that both these copies compute the same circuit C. In other words, in the first copy, the user sends let us say rho C1 and eval1. The goal is that if you run eval1 on rho C1 and any input x, you should get back C of x. Similarly, he does this for the second copy too. The intuitive security property we want is that if the user tries to create these two copies, satisfying these two conditions, then you should only be able to succeed with very small probability. Let us say like digital probability. In this example, I consider the case when rho C1 and rho C2 could be unentangled and let us say he only is expected to output two copies. But in reality, maybe the user gets K copies of the compiled circuit and we want the guarantee that he should not be able to output K plus 1 copies. All these different copies could be entangled with each other. So we want the guarantee that if you evaluate all of them on an input x, the probability that all of them output C of x is negligent. Let us make some simple observations about quantum code protection. These observations were already there in the original work of Farnson. Firstly, this notion is impossible to achieve classically as we saw earlier. The second observation is that this notion is impossible for learnable functions because you have black box access to the function, then you can sort of learn this function by running it on many inputs. And once you learn the function, now you can generate how many of your copies you want because you have maybe like a classical description of this function so you can replicate this function many times. So quantum copy protection is really like a fundamental primitive in quantum cryptography because you can think about many primitives like unplanned encryption, one-time signatures and so on as copy-protecting very specific functionalities. So what do we know about quantum copy protection? Aronson in the work where he introduced copy protection, he also came up with the construction of copy protection for all unlearnable functions in the quantum oracle model. This is the model where the oracle runs some quantum functionality. And then in a more recent work, there was a construction of quantum copy protection for unlearnable functions in classical oracle model. In this model, the functionality implemented in the oracle is classical but the queries could be superposition queries, but that could be quantum queries. And these two results were in the oracle model. What do we know in the plain model? In the plain model, we knew of only heuristic construction of copy protection for very, very specific functions, namely point functions in the plain model. So a natural question that was left open since Aronson's work was whether we can construct quantum copy protection for all unlearnable functions. And in this work, we show that the answer is no. We show that there does exist unlearnable functions for which quantum copy protection is impossible. And our result is conditional because we make use of cryptographic assumptions. So we show that there does not exist quantum copy protection for all unlearnable functions assuming FIT core quantum circuits and also that learning method is hard to understand quantum polynomial time algorithms. Yeah, so quantum FHE is just FHE for quantum computations. OK, specifically we identify a class of functions such that this class of functions is quantum unlearnable and moreover, given any copy protected state, given like a physical access to a copy protected state that computes this function, we can create new copies of this function. It turns out that the techniques underlying the impossibility result of copy protection is also useful for ruling out quantum virtual blacks of fiscation. So recall that classical VVV of fiscation was ruled out by Barack et al. in 2001. And you can ask this question whether you can obfuscate classical programs but using quantum machinery, meaning that, suppose let's say you allow for the obfuscation algorithm to be a quantum circuit and let's say the output is a quantum state. So if this is the case, then can you actually achieve virtual black box obfuscation? And we show that even this is not possible. Like even if you use quantum mechanics, you cannot achieve the strongest notion of obfuscation, which is the virtual black box obfuscation. And this was also concurrently observed by Alachic, Bruckersky, Dulek, and Schaffner. And they ruled out quantum virtual blacks of fiscation, black box of fiscation under weaker assumptions, just the quantum hardness of LW. Okay, so, you know, Sabi's piece ruled out the existence of copy protection for all unable functions. So you can ask the question whether you can construct copy protection for a subclass of unable functions. For example, let's say they are evasive functions. And in particular, we are interested in constructions without using any oracles. And this seems like a hard problem. And so we observe that in some settings, we don't need the strongest notion of copy protection. We can settle with some weaker notions of copy protection, and this is what we are going to do. So to understand how we can weaken the definition of copy protection, we are going to recall the copy protection setting. So in copy protection, the adversary can produce two states. And along with these two states, the adversary also produces its own evaluation algorithms. And we want to guarantee that simultaneously these two evaluation algorithms don't compute the original circuit C with non-negligible probability. So you can consider scenarios where the evaluation algorithm, choosing the evaluation algorithm is not under the control of the adversary. So for example, let's say there's some software that only runs on a specific operating system. Of course, the adversary can look at the software and create its own open source versions. But we want to make sure that these open source versions don't run on the same operating system, right? So because if the adversary is able to create such a software where a pirated software that runs on the same OS, then this might affect the revenue of the company which created the software. Okay, so towards sort of capturing the setting, we're going to introduce the notion of secure software leasing. So in this setting, you know, consider the scenario where the company, let's say Microsoft leases software to a user. And after the lease period is over, the user is supposed to return back the software. And after returning back the software, the user loses the ability to run the software again on Windows. So in other words, the user does not have any copy of the software after it returns back the software. So we can consider sort of like two leases. One is infinite term leases where the lease never expires, which means that the user can keep the software forever. The other type of lease is finite term leases. Here, the lease will expire after a certain amount of time. Right, so based on these two notions of leases, we can actually define, we can give two different definitions of secure software leasing. In the first definition, which is called the infinite term lesser security, the adversary cannot produce two copies that both compute the original circuit with respect to the same evaluation algorithm that was provided by the software creator. Right, in infinite term lesser security, you have a weaker guarantee that, you know, the adversary is supposed to return the first copy. And if the first copy does not, either it is the case that the first copy does not pass the verification check, or if it passes, then it has to be the case that the second copy does not evaluate the circuit with respect to the same evaluation algorithm. Okay, so pictorially speaking, you can say that, you know, the user should not be able to produce two different states that both compute. See, in the case of infinite term lesser security, but in the case of finite term lesser security, the user is supposed to return back the software. And after that, you look at whether the second copy computes the original circuit or not. Okay. Okay, so now, you know, we said that, you know, constructing copy protection is hard, so let's look at this weaker notion. And you can ask if SSL exists for unlawful functions. And unfortunately, the same impossibility result for copy protection can actually be modified and can be used to rule or finite term SSL as well. But on the other hand, it could very well be the case that building SSL for simple class of unlawful functions might be much easier than building, let's say copy protection for the same class of functions. And that's what we're going to do. So we want to show that there exists infinite term SSL for evasive functions assuming the existence of sub-exponential QLW, post-quantum indistinguishability of skaters, and also post-quantum input hiding of skaters. So evasive functions here, I just mean that, you know, it should be computationally hard to find inputs on which the function outputs one, right? So it's a few remarks are in order on the assumptions. So sub-exponential QLW just means that the learning with reverse assumption is hard against sub-exponential quantum polynomial time adversaries. Post-quantum IO just means that IO is secure against QPD adversaries. And finally, we also use input hiding of skaters. Roughly speaking, the security definition says that if I give you obfuscation of what you could see, then you cannot find an input X as that C of X as one. And we give a very simple sort of observation that you can construct input hiding of skaters for compute and compare from LW, right? And compute and compare class of functions as the following class of functions. If they take as input X, they compute on X to obtain A prime and you output one if and only if A prime equals A, right? So you're computing something and then comparing with some other hard-wired input, okay? So if you combine this observation, then you can show that there exists infinity term as itself for compute and compare sub-quates, assuming the existence of sub-exponential QLW and post-quantum industry-influential skaters, okay? So we summarize our contributions. We show that copy protection is impossible to achieve like even finite term SSL can be ruled out from quantum FHM QLW. And then we also give a construction of infinite term SSL for evasive functions. Okay, so let's get into the technical details. Let's start with the impossibility result. So the main tool we are going to use is a quantum FHM scheme. This just means that given encryption of a quantum state, then you can homomorphically evaluate this on any quantum circuit C to obtain encryption of C applied on the original state. The main starting point, we're going to... The main insight that we are going to use is from the similar work of Barak et al. who say that there exists a class of circuits for which if I give you a classical software implementing this circuit, then you can recover some secret S. But if I give you black box access to the circuit, then you cannot recover the secret S. So why is this insight useful? So we can look at the first bullet and see maybe this might be useful for recovering another implementation of C. And maybe from bullet to we can use that to prove unlearnability of C, right? In other words, maybe the same class of circuits that they have could be used to rule out copper protection as well. Okay, so there are some challenges in implementing this approach. The first one is that in Barak et al. it was sufficient to talk about just recovering one secret bit. That was enough, right? But in this case, you know, you're not just recovering, you know, just a secret, but you're also, you need to recover an implementation of C. You need to recover the whole, the description of the whole function. And the second challenge is that in Barak et al.'s argument, you know, they crucially rely on the evaluator being able to make copies of the software. And this is a problem because in the quantum setting, you cannot do this due to the no-cloning theorem. Okay, but nonetheless, you know, we're going to start with the same class of circuits that Barak et al. started off with. And we will see how to sort of address these challenges and modify them in a way that handles the challenge that we described. Okay, the circuit, the class of circuits we're considering is such that any circuit in this class is parameterized by two values, A and B. It takes as input X. X is zero, then your output interruption of A with respect to the public key pk. And if X is A, then you output the value B. And in all other inputs, you just output zero. So this is the class of circuits. So you can show that this is unlearnable. This is done using the adversary method introduced by minus. Okay. So how do we, how do we show that this is insecure? So to show that it is insecure, here is what we could do. So we have a physical description of the of the software that implements CAV. On input zero, you're going to evaluate this on input zero to get encryption of A. And then you're going to use the fact that you have a physical description of the software, right? You're going to use this physical description to homophically evaluate on encryption of A. And you do that, you get encryption of B, right? Because since Euro C computes C, A, B, if you run on A, you have to get B. This is just a description of CAV. So now in order to copy CAV, all we need to do is recover B. Because once you recover B, you have encryption of A, you have B, and then you're done, right? You also need to recover A, but let's ignore that part for now. But the problem is, you don't know how to recover B. And the reason is that, and the reason is because B and Euro C prime are encrypted. So if you want to run the software implementing CAV again, you cannot. That software is encrypted now. And you only have one copy of this software. So once this becomes encrypted, it becomes unusable. So to circumvent this problem, we're going to use virtual black box obfuscation. So we're going to modify the template where on input X equals 0, in addition to outputting encryption of A, you also output an obfuscation of a circuit G. What does this circuit G do? It takes its input to encryption of P and then releases both A and B. So once you do that, you're done because you get this encryption of A and obfuscated circuit by evaluating the circuit on 0. And then you're going to homomorphically evaluate the circuit on encryption of A to get encryption of P. Then you use this obfuscated circuit to get A and B in the clear, right? So we used a VBB obfuscation scheme in our impossibility result. Now the question is how do we instantiate it? It turns out that since the class of circuits that we are VBB obfuscating is very special, we can instantiate it using lockable obfuscation or competing compare obfuscation. And this combination of using lockable obfuscation and quantum FHE was also developed in the context of non-blackbox quantum ZK. This impossibility of copy protection can also be extended to finite term SSL. So it's a stronger impossibility result. And we can use Aronson's almost as good lemma to do that. Okay, so let's move on to the construction of infinite term SSL. So recall that the adversary in an infinite term lesser security definition, it says that on input of quantum state tries to output two copies, so that both the copies evaluate the same circuit as before. And our goal is to construct infinite term SSL for evasive functions. So to do that, we use the following insight. So no matter what scheme we come up with, the adversary is going to behave as follows. On input quantum software either does two things. I mean either he outputs two copies that both of them are the same as the original software or it outputs two copies where one of them could be different from, at least one of them is different from the original copy. And the first case is more similar to the no-cloning theorem setting so we can possibly use the no-cloning principle to prevent this case. And we can use crypto to prevent the second case. And to see why crypto here is useful, there is a rich literature on non-mailable cryptography. I mean there are many works that show that if let's say an adversary tries to tamper with a cryptographic object, then he can only succeed with very small probability. That's why crypto is useful to prevent the second case. So they're having some subsequent works on SSL which are going to appear at TCC. So they construct SSL for different class of functions from either weaker assumptions like sub-exponential curatively or even no assumptions with weaker correctness guarantees. There are also constructions of copy protection in the oracle models. There was recently a construction of copy protection for PRF's first time in the plain model. Some open problems that still remain is that we don't know how to copy protect evasive functions in the plain model that's still open. But also can you actually rule out copy protection in other oracle models like random or classical accessible oracle models? But even proving impossibility results might be useful here. With that, I conclude my talk.