 Welcome to my talk. I'm going to talk about Secure Software Leasing. This is a joint work with Fuyuki Kitagawa and Takashi Yamaka from entity. In this work, we achieved Secure Software Leasing schemes for pseudo-random functions and subclass of evasive functions from the learning with errors assumption. As an additional feature, we can extend our scheme to Secure Software Leasing with classical communication. Let's start with what is Secure Software Leasing. Secure Software Leasing is a quantum cryptographic primitive. There are less who has the software and less. A central authority generates a common reference story. The lesser generates a protected software by using a secret key. Then the lesser sends it to the lessy. The lessy can run the software on the legitimate platform. That is, they can get an output for input. At some point, the lessy returns the least software to the lesser. Then the lesser checks whether the returned software is a valid least software or not. After the lessy returns the least software, they cannot run the software anymore. That is, least software must be a quantum state since we can easily copy classical information. There are two security notions for Secure Software Leasing. One is finite-term security. In this security game, an adversary receives a protected software. Then the adversary tries to generate possibly entangled bipartite states. Both of them can be used to run the least software. The adversary sends one state to the lesser as a returned software and uses the other one to run the least software. Finite-term security guarantees the returned software is not valid. Or the adversary cannot run the least software on the legitimate platform anymore. Here, the adversary is forced to run software by an honest evaluation algorithm. The other notion is infinite-term security. This is stronger than finite-term security. In this security game, the adversary also tries to generate possibly entangled bipartite states. Then the adversary tries to use both states to run the least software on the legitimate platform. In finite-term security guarantees the adversary cannot use either of the two states to run the least software. An answer to that plague presented the notion of Secure Software Leasing and initiated it for subclass of invasive functions by using public key quantum money and the LWD assumption against quantum adversaries. Their scheme achieved infinite-term security. Some concurrent and independent works improved the assumptions, but the function class is limited to subclass of invasive functions. Aronson et al. achieved Secure Software Leasing for broader function classes, but they still need public key quantum money. ours is the first Secure Software Leasing for broader function classes from standard assumptions. In our paper, we give constructions for pseudorandom functions and subclass of invasive functions, but our construction can support public key encryption and signature by combining the technique by Aronson et al. Our construction is based on the clean framework using software watermarking. We can instantiate the watermarking part with standard assumptions. Aronson et al. concurrently and independently presented a similar technique based on watermarking. We note that some works achieve security where Pirate Software is not forced to run by honest evaluation algorithms. Lastly, our construction can be achieved only with classical communication. That is, we do not need to send quantum states. I explained the high-level idea for how to achieve Secure Software Leasing. The scheme by Aronson et al. is as follows. Software is modeled as a classical circuit. We somehow generate a protected circuit in a classical way and connect it to a quantum state. When we return the least software to the lesser, the lesser checks the quantum state part is valid. Then the lesser also checks the protected circuit part is correctly connected to the quantum state part. If both are valid, the returned software is valid. When we learn the least software on a legitimate platform, the platform does the same check as the lesser. It checks both the quantum part and the connected part. What is the quantum part? We use a publicly verifiable and clonable state for the quantum part. This is also known as public key quantum money. In public key quantum money, a central bank has a secret key and publishes a public key. The bank generates a quantum money by using the secret key. We can verify a quantum money is valid and gets its serial number by using the public key. The adversary gets a quantum money and tries to make a copy of it. The security of quantum money guarantees that the potentially entangled two quantum states are not valid with the same serial number under the public key. Unclonability of public key quantum money and circuit protection part imply finite term security. The scheme by Anans and Laplake achieves infinite term security, but ours achieve finite term security. So we focus on finite term security in this talk. The third protection part consists of input hiding of station and simulation extractable NISC. But the detail is not important here. The adversary generates two states. One is for software check and the other is for learning software. Suppose each software passes the verification. First, we consider the case where the public keys for the quantum money part are the same in two states. If the returned software is valid and we can learn the other software on the legitimate platform, then the adversary must break the unclonability since both quantum money states are valid. Second, we consider the case where the public keys for the quantum money part are different in two states. Then, the adversary breaks the circuit protection part. The detail of the circuit protection part is not important to understand our construction. A crucial observation here is that lessor can use their secret key for checking the returned software while we need a public key to learn the least software on the legitimate platform. We found that we do not need the full power of public key quantum money for finite term security. A crucial tool for our construction is two-tire quantum lightning, which we introduced in this work. First, we reviewed the notion of quantum lightning. An authority generates a public key called bolt generator. Anyone who has the public key can generate a quantum state called bolt. We can verify a quantum state is a valid bolt for a serial number by using the public key. The adversary tries to make a copy of a bolt. That is, the adversary generates a potentially entangled two quantum states. The unclonability of quantum lightning guarantees one of the two quantum states with the same serial number is invalid. Quantum lightning is a stronger primitive than public key quantum money. There is no provably secure construction so far. We introduced two-tire quantum lightning, which is a relaxation of quantum lightning. In two-tire quantum lightning, an authority generates a public key and a secret key. Anyone who has the public key can generate a bolt as quantum lightning. There are two types of verification in two-tire quantum lightning. One is full verification, which needs the secret key. The other one is semi verification, which needs the public key. So anyone can execute semi verification. However, only the authority can execute full verification. In the security game, the adversary generates potentially entangled two quantum states as quantum lightning. In two-tire unclonability game, one quantum state is checked by full verification using the secret key. The other quantum state is checked by semi verification using the public key. Two-tire unclonability guarantees one of the two states with the same serial number is invalid. Two-tire quantum lightning perfectly fits for finite term secure software leasing. The lesser can check return software by using full verification with the secret key. Although the lessy does not have the secret key, they can check the least software by using semi verification with the public key. Now let's see our construction. As we see, we can use two-tire quantum lightning instead of public key quantum money for the unclonability state part in secure software leasing. In addition, we can achieve two-tire quantum lightning from the CIS or LW assumption against quantum adversaries. We will see a concrete construction later. It is easy to see we cannot use two-tire quantum lightning to achieve infinite term security since the lessy should not have the secret key. In the blueprint, we need a circuit protection part. We use software watermarking for this part. Let's briefly review what is software watermarking. Software watermarking can embed an arbitrary message into software. Watermarked software is functionally equivalent to the original software. We can extract the embedded message from the marked software by using an extraction key. The security of software watermarking is unremovability. The adversary receives a marked software and tries to remove the embedded mark from it. Unremovability guarantees if the software output by the adversary preserves the functionality of the original software. Then, we can extract the message embedded in the marked software from the software output by the adversary. We can construct secure software leasing by combining software watermarking with two-tire quantum lightning. A lesser generates a bolt and serial number and embeds the serial number and the public key of two-tire quantum lightning into software by watermarking. So the software is connected to the bolt. When a software is returned, the lesser extracts the embedded public key and serial number and checks the quantum state part by full verification with the secret key. When a lesser learns software, they extract the embedded public key and serial number and checks the quantum state part by same verification with the public key. Precisely speaking, we need Mark to formally prove the security of our construction, but I omit it for simplicity in this talk. Please see the paper for the details. We can prove the finite term security of our construction by using two-tire arc uncolonability and unremovability. The adversary generates two states. One is checked by the lesser and the other one is learned on a legitimate platform. Suppose the first one is valid under full verification and the second one is valid under semi-verification. At the blueprint, we consider two cases. First, if the extracted public keys are the same in two states, the adversary breaks two-tire uncolonability. Second, if the extracted public keys are different in two states, the adversary breaks unremovability of watermarking, since valid software must preserve the functionality of the original software. Note that this argument is oversimplified since we omit the mark part from this intuition. I explain how to instantiate two-tire quantum lightning and watermarking from standard assumptions. First, anyone should be able to extract an embedded message from marked software since we need to extract it when we learn software. That is, we need publicly extractable watermarking. There are publicly extractable watermarking signatures and public encryption based on standard assumptions, but we need IO for publicly extractable watermarking PLF. In fact, we do not need standard watermarking and can use relaxed version of watermarking since pilot software is required to learn by an honest evaluation algorithm in secure software racing. In relaxed watermarking, an extraction algorithm can check whether a search follows a regiment format or not. So, the relaxed watermarking is much easier to achieve than standard watermarking. We instantiate such a format check part with NISX. We can achieve publicly extractable relaxed watermarking PLFs from the QLW assumption. Please see the paper for the detail. To instantiate two-tire quantum lightning, we use noisy trapdoor clothly permutation by Brachelsky et al. There are two permutations over N-bit swing. It is hard to find a pair of inputs such that the outputs of the two permutations collide. Such a pair is called cloth. However, if we have a secret trapdoor, it is easy to find a cloth. A bolt generator is permutation F. To generate a bolt, we construct a uniform superposition. Then, we apply permutation F to the registers and write the result into the third register. Lastly, we measure the third register and obtain an image Y. This Y is the serial number. A bolt is the collapsed state after the measurement. So, the state is a uniform superposition of the cloth. The full verification algorithm inverts Y by using the secret trapdoor and gets the cloth. By using the cloth, we can verify a quantum state is a uniform superposition of the cloth. The same verification algorithm uses only the permutation F. It applies F to a quantum state and checks whether the image is equal to Y or not in the superposition way. Suppose one bolt with serial number Y passes the full verification and another bolt with serial number Y passes the same verification. By measuring the first bolt, we can get X0 or X1 with probability half since the bolt must be a uniform superposition of the cloth. On the other hand, we can get either X0 or X1 with some biased probability from the second bolt since its image is equal to Y. That is, we can get both X0 and X1 with probability half from these two bolts. So, two-tire uncolonability holds due to the security of trapdoor cloth-free permutations. We can also construct two-tire quantum lightning from the QC assumption, but we omit it in this talk. We can extend the two-tire quantum lightning construction to one with classical communication by using the idea of bolt to certificate by Radian and Sattat. We can generate a classical certificate that guarantees a bolt was collapsed. We use the certificate verification algorithm instead of a full verification algorithm. By using the classical certificate instead of bolt, we use only classical communication. We can instantiate the bolt to certificate mechanism by using the technique by Brackersky et al. and Radian and Sattat. We apply Adamad operator to a bolt and obtain a superposition state like this. We measure the registers and use the results as a classical certificate. We can verify the certificate by using pre-images extracted from the serial number Y. Two-tire uncolonability immediately follows from the adaptive hardcore bit property of trapdoor cloth-free permutations. Please see the paper for detail. It is easy to achieve secure software leasing with classical communication from two-tire quantum lightning with classical communication. The leasing generates a public key of two-tire quantum lightning and sends it to the leasing. The leasing generates a bolt and its serial number and sends the serial number to the leasing. The leasing embeds the public key and serial number to software by water marking and sends the marked software to the leasing. The leasing can run the software if the bolt does not collapse. When the leasing returns the software, they destroy the bolt, get the classical certificate and return the classical certificate to the leaser as an evidence they destroyed the bolt. If the leasing destroys the bolt, they cannot run the software anymore. Let me summarize my talk. We construct finite-term secure software leasing schemes for PRFs and subclass of evasion functions from standard QLW assumptions. We also achieve secure software leasing with classical communication. Our technique is based on the clean frame mark by two-tire quantum lightning and soft software water marking. That's it. Thank you for watching my talk.