 Hello, my name is Sebastian Lord and I'm happy to present secure software leasing without assumptions in the context of the theory of cryptography conference or TCC 2021. This is joint work with my wonderful co-authors and broadband Stacy Jeffrey, support the Potter and Arthi Sundara. Let's jump right into it. So one of my main interests in quantum cryptography is where we can apply the no cloning principle to achieve things that would otherwise be impossible using only classical tools. So simply, the no cloning principle states that it is impossible to create perfect copies of arbitrary quantum states. And this is the pillar of many quantum cryptographic primitives that achieve things that would be impossible with only classical means. And the idea here is that the no cloning principle is quite a quantum phenomenon in the classical setting, adversaries and eavesdroppers and any party can just keep copies of classical information that is exchanged back and forth. This is not quite true in the quantum setting. And this gives rise to a whole lot of unclonable cryptography, some of which I'm sure you've already heard of. Perhaps the most famous examples are unclonable tokens. So unclonable tokens are essentially quantum states that contain no meaningful information, just enough so that a receiver can either accept or reject the token. We can also talk about unclonable information. These are encryption like schemes that achieve some extra security notion where this extra security notion is tied into the no cloning principle. This is something that myself and some of my colleagues are quite interested in and we have some previous work on things like unclonable encryption and encryption of a certified deletion. We also have unclonable functionalities and that's really the topic of this talk. And in this talk, we're going to cover two different types of unclonable functionalities. We're going to talk about copy protection, as well as secure software leasing. And one of the ideas that we're trying to promote here is that all of these three notions can be seen as part of a hierarchy, where at the top of the hierarchy you have the functionalities, followed by unclonable information, followed by unclonable token. The idea being that at every level of the hierarchy, these are more and more complex things, if you will, that are rendered unclonable by using the no cloning principle. Okay, so where does the story of unclonable functionalities begin? Well, it begins with a question by Scott Aronson in 2009. This question is quite similar. It asks, can quantum states be used as copy protected programs, which let the user evaluate some function F, but not create more programs for F. So let's sketch out the idea that's wanted here. So what's the basic idea behind copy protection? Well, we're going to have a pair of procedures protect a novel, such that we can feed some function F taken from a larger family of functions into the protection procedure. This is going to yield some quantum state row F and row F can be used in the evaluation procedure with an input X to produce the output of the function F of X. There's been a lot of recent activity, right? Aronson asked this question in 2009, and for about 10 years, there hasn't been a whole lot of progress on the question. But over the past two years, there's been multiple different works, multiple different publication, including other work that will be presented at this conference. I want to highlight at this point that all these other works, they use either some standard assumptions, right, we're talking one way functions or things like that, or quantum oracles or set up assumptions to achieve the security of their protocols. This is where our contribution comes in. So the main contribution in this work is that we construct a secure software leasing scheme specifically for point functions, which is provably secure without any assumptions at all and against unbounded adversaries. So our construction can be instantiated by any total authentication scheme. We'll get into those details in a bit. And we obtain our secure software leasing scheme by passing via this novel security notion of honest malicious copy protection. So we're going to define this security notion, we're going to show how we achieve it. If we were to sketch out the results of this work and look at it like this, you take a total authentication scheme, you use this to construct a copy and honest malicious copy protection scheme for point functions. We then show that honest malicious copy protection for point function implies secure software leasing for point functions. And I want to highlight this result by Colledangelo Mayans and Premba, which states that if you have SSL for point functions, you can also obtain SSL for compute and compare functions. And our construction follows through. Let's formally define copy protection. So as mentioned, we're going to start off with a pair of procedures protected about, and this is going to be a copy protection scheme for a certain family of circuits. Now throughout the talk, we go back and forth between functions and circuits. It's not particularly important for this work. Formally, the definitions are given at the level of circuits, but for the level of this talk, it's easier to reset about functions at times. So the security of our scheme is going to be parameterized by a bunch of different distributions. And this starts off with the distribution D on the family of circuits which we are copy protecting, as well as a set of distribution on pairs of inputs. There's an inputs to the circuit, and every single circuit C has its particular distribution on pairs of inputs to see. And we're going to analyze the security via a game that's going to be played by a referee against a collaborating pirates and two evaluators. So the pirate and two evaluators get to set a strategy ahead of time, but the communication that they have during the run of the game is going to be quite limited. So let's put up our referee, let's put up our pirate and our two malicious evaluators. I want to highlight here that the two evaluators are distinct, they can behave in completely different ways. The game starts off with the referee sampling a circuit C, according to the distribution D, and producing the copy protected program row that results from protecting the circuit C. The state row is handed off to the pirate who can do arbitrary computation. But at the end of this, the pirate has to hand off one register to malicious evaluator zero, and one register to malicious evaluator one. Once the program state is split between both evaluators, the referee will sample two inputs to the circuit X zero and X one, hand off X zero to evaluator zero, hand off X one to evaluator one, and both evaluators attempt to compute the value of C X for their respective X. So they output some Y zero Y one, and they win if and only if both correctly compute the value of the circuit on their inputs. Normally we're going to say that the scheme is epsilon copy protecting if the probability that both evaluators correctly outputs is at most some trivial guessing probability plus epsilon. What is this trivial guessing probability comes comes from. Well, there's one attack that we can't prevent the pirates and the malicious evaluators of implementing. And this is simply the attack where the pirate hands off the program completely unchanged to one evaluator, and the other evaluator guesses their value of Y simply based on their value of X, and we optimize over this gets into obtain the trivial guessing probability. So that was copy protection, but we mentioned that we're going to achieve honest malicious copy protection which is a slightly weaker version of this more general idea. So, I want to highlight that in the game that we just studied malicious evaluators are completely unconstrained, we have no guarantees on their behavior, they can do whatever they want. In this malicious setting, we're going to force one of the evaluators to behave honestly. So if we put up the same diagram as last slide, it's going to look quite similar with the only difference being that one of the evaluators must be made honestly. They must use the evaluation procedure that is prescribed by the copy protection scheme. In addition to this, the setup is essentially the same. We're going to say that the scheme is epsilon honest malicious copy protected, if the probability that both the honest and malicious evaluator correctly compute the value of the circuit on their input is at most some trivial guessing probability. So we're going to call this epsilon where the trivial guessing probability follows from simply giving the unchanged program state to the honest evaluator, and having the malicious evaluator guess the possible outcome based only on x one. Okay. So we're going to achieve this idea of honest malicious copy protection by using quantum authentication. So let's talk about the general idea behind quantum authentication. This syntax, a quantum authentication scheme for some particular space M is just a collection of pairs of quantum channels authenticate and verify indexed by keys K. And they satisfy this correctness guarantee that if you verify an authenticated state by using the correct key, you get precisely that state that same state back, as well as a flag qubit in the a register. The register is spanned by either the a state or our state for accept or reject. Now security is a bit more technical to define. But kind of the intuitive idea that you would want to have in head is that if you had some attack that interacted with the state between the authentication and verification procedure. And make sure that you never output the reject flag if you don't obtain the initial state that now this is not a formal definition and in fact there might be some issues in formalizing precisely this, but it's a bit the intuition that you would want frequent authentication But we're going to need a more precise security definition and the security notion that we're going to pick among the various ones in the literature is total authentication. And this is a notion that was first introduced in 2017. To properly talk about total authentication, we need a slight variation on the verification map, which is this verification with the overline, and this is simply verification conditioned on acceptance. So we check to make sure that the flag is in the accepts state and we just reject if it is, we just reject the state if it's in the reject flag. So, I want to highlight that this is not a trace preserving math. The trace of the state following this overline verification is precisely the probability that accepts. And what we're going to do is a bit of an ideal versus real set. So, in the real setting, some adversary can pick a state row that's going to be authenticated, as well as living on some memory register that the university holds. If the message register gets authenticated, the adversary can attack both the authenticated states and interact based on their memory register, followed by verification and once again we're going to condition on acceptance by this overline. So we get some state Sigma in the real setting that depends on a key K. But what's an ideal adversary for quantum authentication. Well, we could think that the ideal adversary is an adversary that just does not interact with the authenticated state. So, here we have an ideal it's a bursary side that simply interacts on their own memory register they cannot touch the authenticated state between the authentication and verification. And note that this authentication scheme is epsilon secure if for all state Sigma. Sorry, if for all initial states row, the final states in both of these dashed red boxes are epsilon close and trace distance and note that this includes the key K. I want to highlight here that in the ideal scenario the adversary and their memory register Z they have no information on the key that is used right they don't actually find a way to interact with the key. So how can we use a total quantum authentication scheme to construct a copy protection scheme for point functions. So let's recall that a point function is a function that takes us input a bit string of like that and outputs a single bit. Now, every point function is characterized by precisely one bit string. It's point, we're going to denote it P, and the function is such that it outputs one if and only if the argument is its point. So, now we're going to take some epsilon total authentication scheme we're going to fix an arbitrary state psi on the message space. The idea is to build on this correspondence that we can have between inputs to the point function and keys to the authentication scheme. So our protection algorithm, our protection procedure on input of a point function delta P is simply going to output the authentication of the fixed state using the point as the key. So, if we authenticate. Sorry, if we protect using authenticate, we're going to evaluate using verification. If we have a candidate program Sigma and some argument X, our evaluation procedure is simply going to verify Sigma using X as the key. The evaluation procedure that outputs one if and only if the verification accepts. So, ideally, we would achieve correctness in the following way we would say that we have an data correct scheme if for all possible arguments X and all possible point functions delta P. The probability over the randomness of the evaluation and protection procedure that you obtained the correct outcome is greater or equal to one minus eight. Unfortunately, we don't achieve the above correctness, but instead we're going to have correctness with respect to certain distributions. So what do we mean by this, we mean that we're going to define and achieve a correctness with respect to family of distributions index by put that by potential functions. More precisely, for all possible point functions, the probability that the evaluation correctly outputs taken over the randomness of the evaluation protection procedure, as well as the sampling of the input is at least one minus eight. We don't necessarily have correctness for all possible inputs. We obtained correctness averaged or taken out on. Sorry, we obtained correctness with probability over the possible inputs. So, let's bring up the scheme here so recall that we protect by authenticating and evaluate by verifying. So, we're going to show correctness with respect to a very specific distribution. This is the distribution that so sorry, so the distribution is indexed by the point function delta P. And for every possible bit string, it's going to be P with probability one half and not P with probability one half and in this case it is sample uniformly at random over all possible strings that are not P to properly show correctness we actually show this following theorem which states that for any epsilon total authentication scheme for any state row. If you simply random key K, the probability that you accept is at most to to the epsilon. So the theorem follows from the security of the authentication scheme, you can kind of be the argument essentially says that if there was a state that was excited that was accepted with higher probability. You could use the state to construct an attack against the authentication verification scheme. So, this is the authentication scheme for all points P. We have that we correctly evaluate on the point P with probability one, and this theorem will allow us to make a statement for what happens when you try to evaluate with the wrong key. You combine all of the above, and you show that when you start with an epsilon total authentication scheme the probability that you correctly evaluate is at least one minus epsilon. So let's go on to the honest malicious security. Let's refresh our memory just a bit. So, our scheme is here. Once again we protect by authenticating and we evaluate by verifying. More precisely, we're going to prove security when depth one the point function is sampled uniformly at random from all possible point functions and where each challenge is sampled according to this distribution that is P with probability one half and not P with probability two challenges are going to be sampled independently from each other. So let's recall the security games so we have our referee our pirate and both evaluators, and we check whether or not the evaluators correctly compute the value of the function. Okay. So, let's sketch our proof of security. The correspondence between the honest evaluator correctly evaluating Delta P on the point P with accepting authenticated state. And we recall from total authentication that conditioned on acceptance, the attacker will know essentially nothing on the key. Now we play this correspondence more we say that Oh the authentication key actually corresponds to the copy protected function, the authentication attack corresponds to the copy protection adversaries. The conditioned on acceptance the attacker knows essentially nothing on the key they know essentially nothing on the function on the point function is copy protected. That's going to limit their ability to correctly compute the circuit. Right, so if the honest evaluator is correct that the malicious evaluator knows essentially nothing on the point of the point function. So let's analyze the case for the honest evaluator is challenged with something that is not the point of the point function that is authenticated, but we leave that for the paper. For me the theorem that we show is that with this scheme and these distributions, the probability that both that the adversaries when is that most this trivial guessing probability, and this fairly nice function of epsilon. We also show that the trivial guessing probability in this case is precisely one. We've obtained a scheme for copy protecting point functions in the honest malicious setting. Let's finally talk about secure software. So secure software leasing is similar to copy protection in the sense that it prevents copying of programs, but it is a bit different in the sense that there will be no second evaluation, we're going to have a verification procedure instead. So security is also parameterized by distribution over circuits and inputs, much in the same way that copy protection was. So let's sketch this SSL game. So we're going to have a referee and a pirate. In this case the pirate is also going to play the role of the single evaluator. There's no second evaluator as previously mentioned. The referee is going to sample a circuit see according to the distribution D produce some state row that essentially includes the circuit and that state row off to the pirate. The pirate does some computation that can hold on to some quantum information, but eventually they have to return some state signal to the referee. The referee will then verify the state sigma and either accept the return or rejected. So assuming they accept they're going to sample some argument X, according to the distribution TC that can depend on the circuit C, hand X off to the pirate, and the pirate wins if and only if they correctly compute the value of the function on X. Very similarly we're going to say that the scheme is epsilon secure if the probability that the referee accepts and that the pirate correctly computes the outcome is at most the trivial guessing probability plus epsilon. And finally we emphasize that in this setting the pirate can evaluate maliciously so we don't control any of the computation of the pirate does. So how do we obtain secure software leasing from honest malicious copy protection. Well the idea is quite simple, you can verify a return program by honestly evaluating it on an input. The protection and evaluation procedures in the setting are unchanged we just construct the verify from the honest evaluation right so how do you verify on input of some circuit C and a candidate program sigma right that the pirate claims. You sample some argument X prime, according to some distribution T prime C, you compute, and you verify whether or not this is the correct outcome. If you plug this into the game you get this figure here where we just kind of expand a verification procedure to include, and you see that this essentially simulates the honest evaluator of the honest malicious copy protection game. The reason that we show is that if the copy protection scheme is epsilon honest malicious secure with respect to some distribution D, and this distribution on challenges. Then the derived SSL scheme is going to be epsilon secure with respect to the same distribution on the circuits, and just the singular distribution on the challenges to the pirate. So in conclusion, what do we have as results in this work well we define and achieve honest malicious copy protection with no assumptions, I also want to put up this figure here that kind of sketches how we do this. We show that honest malicious copy protection yields SSL. And we can contrast this work with other works where we do not need any assumptions we have no setups and no oracles. Finally, but kind of the trade off here is that for copy protection we only consider a restricted class of adversaries right we have honest malicious copy protection which is a bit weaker than the more general malicious malicious copy copy protection if you will. So there's two main open questions for future work. First of all, can we improve the correctness of our scheme right so currently we have correctness over with a probability over possible inputs we would like to have correctness for all possible inputs. And perhaps the main question is, can we achieve copy protection against multiple to malicious evaluators without any assumptions at all. And I think this is a question that is gathering quite a lot of interest in the field right now. And with that, thank you very much.