 Hello, I'm Chip and Leo from Princeton University. I'll be talking about the work hidden cosets and applications to Unclonbal Cryptography. This is a joint work with Andrea Clodangelo from Simon's Institute at the Kilbrate, Jaquie Leo from UT Austin, and Mark Dendry from NTD Research and Princeton University. The talk is about Unclonbal Cryptography, which will leverage the quantum no-cloning principle. The no-cloning principle of quantum mechanics says that a general quantum information cannot be copied. There is some quantum algorithm that takes a unknown state, and it wants to copy the state into two identical copies. Classically, it is easy since any classical computer can simply read each bit of a classical message and then write the bitwise. But it turns out that in a quantum world, if you do not know the quantum state, you cannot copy a general quantum state into two copies. The no-cloning principle opens the door to many classically impossible primitives. This example includes quantum key distribution by Bernat and Bersard, quantum money, which was first studied by Wissner, quantum copy protection, first by Harrison, signature token, first by Ben David and Satas, Unclonbal encryption by Gottzman, Broad, Ben and Lord, and Unclonbal decryption by George and Zendry. These applications rely on some forms of non-cloning theorems of particular quantum states. In fact, although a general unknown quantum state cannot be copied, to establish a probable statement for certain cryptographic schemes, we rely on particular quantum states instead of general unknown states. And most of the applications are based on BB84 states, which is first used by Wissner, or subspace states, first used by Harrison and Cristiano. In this work, we propose a generalized notation of both BB84 states and subspace states, which we call coset states. This notation has also been studied independently in a work by Vidic and Zhang in the context of proofs of quantum knowledge from quantum money schemes. We show in this work that coset states possess many important properties of BB84 states and subspace states. We further show that because coset states have more algebraic structures, they improve many of these applications. We look at these applications from subspace states. You do not need to worry about the definition of subspace states, or signature tokens or unclonable decryption, we will come back to them shortly after. Previous results show that signature tokens and unclonable decryption exist, relative to classical oracles. In other words, they need to assume post-quantum secure virtual black box obfuscation for classical circuits. Here we use VBB for virtual black box obfuscation. In this work, we show the generalized notation coset states also gave these applications, studied in the plain model, by assuming post-quantum indistinguishability obfuscation and one-way function. For our final result, we show how to copy-protect PRFs. This is the first example of copy-protecting non-evasive functions. For unclonable decryption and copy-protection of PRFs, we need to additionally conjecture the coset states have a stronger property. The property is later approved by Kov and Vidic in a follow-up work. Before introducing coset states, we explain the subspace states by Eris and Chris Shiano. A subspace state for subspace A is a quantum state that satisfies the following properties. If you measure the state directly or in the computational basis, you will get a uniformly random vector in the subspace A. If you apply Hardermark, which is a quantum operator, on the state, and then measure, you will get a uniformly random vector in the dual-space A-perp. Here both A and A-perp has dimension roughly lambda over 2. If you are familiar with quantum, then the subspace state for the subspace A is an equal superposition of all vectors in A. And for convenience, we refer these two programs to the membership checking programs for space A and A-perp. In other words, PA takes a vector in output 1 if and only if the input is a vector in A, and similarly for PA-perp. Subspace states satisfy the following direct product hardness property. It says that for any query-bounded quantum algorithm, given a single copy of a subspace state for A, even if it gets oracle access to both membership checking oracles, it cannot find two non-zero vectors in A and A-perp. Another direct product stands for finding vectors in the direct product space of A and A-perp. We first note that it is always easy to obtain either a vector in A or A-perp by just measuring the state in either the standard basis or the Hardermark basis, for which you apply Hardermark and then measure. However, measuring one basis will completely collapse the state into a single vector. Thus it will completely force the state to lose all the information about the other space. Also note that if a quantum algorithm can make unbounded queries, it can always lend subspace A by making exponentially many queries to these oracles. And therefore finding these two vectors becomes easy if we do not put the query constraint. The direct product hardness naturally gives a construction of signature tokens. A signature token scheme is similar to a signature scheme, except a user is giving a quantum signing token instead of a classical signing key. Moreover, the token should be a one-time token. In other words, a person who has a signing key can generate a signing token and delegate the signing task to someone else. This signing token can be used to sign an arbitrary message, but only once. More formally, the security guarantees that no efficient quantum algorithm, giving the signing token and a classical public verification key, can produce valid signatures for both messages 0 and 1. Here for convenience, we only consider one-bit messages. Ben Dewey and Satas show that subspace states give applications to signature tokens. So basically, we can think of these signatures for message 0 as a non-zero vector for subspace A, and valid signatures for 1 is a non-zero vector for subspace A part. And therefore, a signing token is a subspace state for A. And finally, the verification key is simply the verification oracle or the membership checking oracle for both subspace A and A part. However, the drawback is that the construction is only provably secure relative to classical oracles, especially when we're instantiating the scheme, the verification key should be VVB obfuscation. As we see in the previous discussion, the verification key is VVB obfuscation or oracles. To achieve the construction in the play model, one naturally attempt is to replace VVB obfuscation with IO. The similar ideas were deployed to achieve quantum money in the play model. In 2012, Iris and Chris Chano showed quantum money with respect to classical oracles, while they rely on a weaker property than direct product harness. Later in 2019, then they showed the same construction works in the play model by instantiating the obfuscation with IO. The actual construction is more involved, but this is roughly the idea. One can try to apply the same idea on direct product harness property for subspace states. In the same reduction, when we're run into a technical problem, and thus the reduction fails. Basically, if we follow the same reduction, we find that the resulting task becomes very easy when instantiating VVB with IO. Although it does not say anything about the original game, it shows a technical barrier for replacing VVB with IO for direct product harness. Since we do not have time to explain more on this, we would refer to the full paper for more details. Now we formally introduce coset states. A coset state for subspace A and two vectors S and S prime is a quantum state that satisfies the following property. If you measure the state directly, or in the computational basis, you will get a uniformly random vector in the coset A plus S, which is a set of vectors in A, but shifted by S. If you apply a hard mark on the state and then measure, you will get a uniformly random vector in the coset A perp plus S prime. If you are familiar with quantum, then a coset states for subspace A and two vectors S and S prime is the following. In the computational basis, it is the superposition of all vectors in the coset A plus S, and in the face, it encodes a superposition of all vectors in the coset A perp plus S prime. For convenience, we refer these two programs to the membership checking programs for cosets, which is P A plus S and P A perp plus S prime. Coset states also satisfy the direct product harness property. It says that for any query-bounded quantum algorithm, given a single copy of a coset state, even if it gets oracle access to both membership checking oracles, it cannot find two vectors in both cosets. For subspace states, we do not allow an algorithm to find zero vectors, but we do not have such a requirement for coset states. Because you can think of zero vectors are now replaced with secret vector S and S prime, thus finding S or S prime is also hard in our case, and direct product harness still holds if we do not put such a constraint. So the direct product harness of coset states naturally gives the construction of signature tokens, but still relative to classical oracles. Next, we show that by replacing the VVB obfuscation or classical oracles with IO, we can achieve the direct product harness in the play model. It then naturally gives the construction of signature tokens in the play model. Formerly, we want to prove the following security. There is no efficient quantum algorithm that gives a coset state until IO of membership checking programs can produce vectors in both cosets. Here we briefly explain how it works and why the same idea cannot be applied to subspace states. In the original game, we have a coset state and two obfuscated programs for membership checking. In the next hybrid, we replace the underlying subspace with B and C. Here B is the random super space of A with dimension 3 limit over 4, and C is the random super space of A perp with also dimension 3 limit over 4. The indistinguishability between hybrid 0 and hybrid 1 is similar to that in Xandris quantum mining proof, as long as B and C are random. This is so-called subspace hiding obfuscation. In the next hybrid, we replace S in the program with S plus T for a random vector in B. Recall that the program is checking membership in the coset B plus S. Since T is a vector in B, replacing S plus T does not change the functionality, the resulting program is also checking the membership in the coset B plus S. The indistinguishability comes from IO security, and the similar arguments held for the other program. We are going to show in hybrid 2, no quantum algorithm can recover vectors in both cosets. Instead of giving a quantum algorithm IO programs, we now gave the programs in clear without using obfuscation. In other words, for the IO program P, B plus S plus T, we gave the description of B and the description S plus T. And for the other program P, C plus S prime plus T prime, we give the description of the subspace C and the shift S prime plus T prime. We argue that since B is a random superspace of A, it still hides most of A. And similarly, T behaves like a random mass and hides most of S. Following the same idea, we show that all this additional information B, C, S plus T, S prime plus T prime only give limited knowledge about A, S and S prime. By careful argument, we show that this task is still hard. That said, the last statement is the information theoretical statement. The only computational assumption comes from switching from hybrid 0 to hybrid 2. And we would like to argue that this approach does not work for subspace state. For subspace state, we will have the following game, where the quantum algorithm is given the subspace state A and two description B and C, which are a superspace of A and a superspace of A per. For given B and C, it is easy to find vectors in A direct product with A perp, because any vector in C perp is a vector in A and any vector in B perp is a vector in A perp. Therefore, we can easily find vectors in A direct product with A perp. Therefore, such an argument does not work for a subspace state. Now we conclude the first part of our paper. First, we show that coset states satisfy computational direct product hardness, assuming IO and 1W function. And secondly, as a corollary, there exist signature token schemes in the play model. Next, we look at other properties of coset states, the monogamy of entanglement properties. We will show coset states satisfy both MOE and stronger MOE. This property will be used for constructing on-clonbal decryption and copy protection of PRS. MOE is first studied for BB84 states. The monogamy of entanglement game for coset states is the follows. No coset state is given to a quantum algorithm. The algorithm is then generated a potentially entangled states, row 1 and row 2, and sends them to two separate quantum algorithms, which cannot communicate with each other. And the description of the subspace A is sent to both algorithms, but they cannot communicate. Finally, they need to both come out with vectors in both cosets, unlike direct product hardness, because they know descriptions of A as long as they can compute one vector in each coset, they can compute any vector in this coset. Thus, for simplicity, we assume they output the first vector in each coset, denoted by S and S prime. We prove coset states have information theoretical MOE property, that is, even unbounded quantum algorithms cannot win the above game with probability more than some exponentialism or function. Notice that if the description is given to the very first algorithm, the game is easy. Having both a coset state and the underlying subspace, extracting both S and S prime is trivial. Similarly, if these two algorithms in the second stage can communicate, the problem also becomes trivial. We further show that, if IO of membership checking programs are given to these algorithms, the problem remains computationally hard. We similarly define strong monogamy of entanglement game. Now the algorithms in the second stage need to output S and S prime respectively, instead of both outputting S and S prime at the same time. This is the property we use for constructing the other two applications. Calv and Vidic later prove that coset states satisfy this property. Therefore, we can remove the conjecture in our work. In the next slide, I'm going to show the idea of constructing unclonobal decryption from strong monogamy of entanglement of coset states. Our decryption scheme is almost the same as the public encryption scheme, except the secret key is now a quantum key. It should satisfy the standard correctness and CPA security. Besides, it should also satisfy unclonability of decryption key, which roughly says the quantum key cannot be speeded into two copies, and both of the forged key can be used to decrypt ciphertext. We will formally talk about the security in the next slide. We first look at the construction. In our scheme, the public key is simply the membership checking programs for both cosets, and the quantum key is simply the coset state. The encryption scheme, the encryption procedure takes the public key pk and the message, and it first flip a coin R and outputs the coin and an obfuscated program. If the coin R is zero, the program is the following. It takes the vector and it outputs the encrypted message M if and only if the vector is in the coset A plus S. And if the coin R equals to one, then the program takes the input vector and outputs the encrypted message if and only if the vector is in the other coset A per plus S prime. Coset although construct these two programs C0M and C1M needs to know the description of the secret AS and S prime, constructing the obfuscation of these two programs is actually easy, it only requires the membership checking programs, which are exactly the public keys in our scheme. And finally to decrypt, if the random coin is zero, you run the program coherently on the coset state. If the coset state is a superposition of vector in the coset A plus S, it will output M. If the random coin is one, you run the program coherently on the hard mark basis of the state, which is a superposition of vectors in the coset A per plus S prime. Therefore, it satisfies both correctness and the CPA security would follow from the next slide, which is the unclonability of decryption key. The unclonability of decryption key game is the follows. The classical public key and the quantum secret key is given to an algorithm. The algorithm is generating a potentially entangled states, row 1 and row 2, and sends them to two separate quantum algorithms, which cannot communicate with each other. You can think row 1 and row 2 are two different keys. And two separate tags of unknown messages are given to both algorithms, notes that they are encrypted under independent randomness, here they are r0 and r1. And finally, they need to both come out with the correct message M. In our case, the public key and the quantum secret key is now membership checking programs for both cosets and a coset state. For the next separate tags, we assume they are generated using different coins. And the left separate tags is the IO of C0M, and the right separate tags is an IO of C1N. If there exists algorithms that can successfully produce M, we want to argue that the left side algorithm should learn S, and the right side algorithm should learn S' which violate the strong monogamy of the entanglement property. To argue this, we show that the separate tags programs are actually computed and compared programs. For a computer and computer program, it has three components, a function, a log and a secret. A computer and computer program takes an input and computes that function on the input. If the output equals to that log, then it outputs the secret, otherwise it learns nothing. In our case, the log is S and S' and the secret are M. You can see on both of the circuits. By the security of computer and computer obfuscation, if one can learn the secret with non-trivial probability, there exists a way to extract the log, which is S and S' in our case. Therefore, by a delicate argument, we show that if both algorithms can output M with some non-trivial or non-negligible advantage, there exist algorithms that break strong monogamy of entanglement gate. And this is a contradiction, therefore our scheme has unclonobility of decryption key. Now we conclude the second part of the work. First we show that coset states satisfy computational MOE and strong computational MOE, assuming IO and 1-way function. Then we show that there exists unclonobility decryption in the plane model. And finally we show there exists copy protection PRFs in the plane model. The construction is based on unclonobility decryption using an IO trick called hidden trigger technique. Finally we conclude the work. We first propose coset states. And we show that coset states have computational direct product harness. And as an application, we show signature token exists in the plane model. And next show coset states have monogamy of entanglement property. Although we did not prove the monogamy of entanglement property would naturally give applications like quantum key distribution and the secret key quantum money. And finally we conjecture coset states have strong monogamy property, which has been later approved. And as application, we show that it gives unclonobility decryption in the plane model and copy protection PRFs in the plane model. Note that although we achieve different primitives in the plane model, they require completely different structures of coset states. Therefore we think they are conceptually very different work and ideas. That's the end of my talk. Thanks for listening.