 Hello, my name is Fatih, welcome to my presentation of Unclonable Encryption Revisited, which is joint work with Prabhanjan Anand. Unclonable Cryptography is a hot field in quantum cryptography which relies on the no-cloning theorem. No cloning theorem states that there is no universal cloner of quantum states. In particular, it states that any cloner can clone a set of states which are mutually orthogonal, assuming this cloner is exact. Clearly, this concept has no classical counterpart. Any classical bit of information can be indefinitely copied. There are several unclonable primitives that are based on the no-cloning theorem. Quantum money is a primitive in which quantum states are used as banknotes and they cannot be cloned to make more money without the bank's permission. Used by Scott Aaronson, copy protection is a primitive that protects against software piracy. Signature tokens allow you to sign messages only once given a quantum state, which means it has to be unclonable. Likewise, in single decryptor encryption, there is a decryption key which cannot be used more than once for the decryption functionality. And finally, unclonable encryption, which is the topic of today's talk introduced by Broadbenton Lord, is a primitive where ciphertexts cannot be cloned in a way that preserves the functionality of being decrypted into the original message. In this context, we are considering the setting where we are encrypting classical messages using quantum algorithms and thereby having quantum ciphertexts. So how do we define unclonability in the setting? It is defined by a security experiment, which we will call the cloning experiment. And the maximum attainable success probability in this experiment by a polynomial time triplet adversary, which I will refer to as Alice Bov and Charlie, will give us the security parameter as it relates to unclonability. The cloning experiment consists of two phases. In the first phase, the challenger creates encryption of a random message and sends it to Alice. And then Alice applies a quantum channel to split the ciphertext between two physically distant registers, which belong to Bob and Charlie. The second phase is the challenge phase in which Bob and Charlie are not allowed to communicate. After learning the key from the challenger, Bob and Charlie need to both guess the message correctly. This captures the intuition that they both preserved the decryption functionality simultaneously. Note that you can always trivially send the ciphertext to one of the parties, say Bob, and then have Charlie guess the message uniformly at random, which would give us a success probability of 1 over 2 to the n. So that will be the benchmark to compare success probabilities with. In their introductory work, Bob Benton Lord presented two constructions of unclonable encryption. The first one, which they call conjugate encryption, is based on the conjugate coding by Weisner, which are the BBA before states used in Weisner's quantum money construction as well as quantum key distribution. The security for this scheme is information theoretic, and it matches the value 0.85 to the n, which comes from a monogamy of entanglement bound. They also show a modification using PRFs, which achieves a better security but only in the quantum random oracle model. In this work, we explore different ways to improve this introductory work on unclonable encryption. Here are some of the open directions left by the authors to explore. Can we make the key reusable without resorting to the random oracle model? Can we make the encryption in the public key setting? Can we achieve security close to 0.5 to the n, which matches the trivial attack? And can we use this unclonable encryption primitive to construct other unclonable crypto or show implications in the other direction? We answer three out of the four questions positively in this paper, and we make some observations and show negative results about the existing constructions regarding the security. Our first contribution is about the reusability of the key. The information theoretic construction of Broad Benton Lord did not allow the key to be reused due to a one-time path in the encryption. So assuming post-quantum one-way functions, we present the construction, which is secure under multi-message attacks. Likewise, we also present a scheme in the public key setting, which is semantically secure. Again, this construction is based on minimal possible assumptions. There are different reasons we care about the reusability of the key. One is efficiency. We don't want to have to create a new key for each bit of communication. Secondly, all the benefits of public key crypto in the classical world still apply to the case of unclonable encryption with the additional requirement that we might be in a setting where unclonability is desired. This motivates our second construction, which is in the public key setting. Thirdly, in case we use unclonable encryption to construct other primitives, we might need the usability of the key in security proofs. It is important to note that in our work, we do not consider the issue of reusability as it pertains to unclonable security. We only take it into account in semantic security. This is not a big problem in the public key setting, since the adversary can generate ciphertexts himself. However, in the private key setting, a more delicate argument might be needed. Here's a table that summarizes the increment of our constructions, which is that they satisfy semantic security without having to use a random oracle model. Next, we explore whether the 0.85 to the n unclonable security is tight for the conjugate encryption. It turns out it is tight in the sense that it cannot be arbitrarily close to 0.5 to the n due to a universal cloning attack which we present. One way to potentially get closer to 0.5 to the n is to find the harder monogamy of entanglement game and base the construction on that game. We show that the use of Weisner bases can be generalized to include a larger class of bases and the corresponding monogamy of entanglement games. And such bases and such monogamy games have been analyzed. One example is coset states. Our final contribution is to show an implication from unclonable encryption to copy protection. A copy protection scheme is a tuple of algorithms, copy protect and evaluate. Given a function from a family, copy protect outputs a copy protected quantum state. And using that quantum state, a client can evaluate inputs of f. Correctness requires that if this is done honestly, the output should be equal to f of x. And security requires that it's impossible to make two copies of the copy protected program with the same functionality, even if a malicious evaluation algorithm is used. So recall the unclonable security game. And now we will present a stronger version which was introduced by Brad Benton Lord also. In this version, the adversary gets to choose a pair of messages and plays a semantic security game where to win, Bob and Charlie must simultaneously distinguish these messages. After the key has been revealed in the second phase. Note that in this experiment, the trivial strategy succeeds by having Charlie guess randomly. And the probability of success is one-half. Therefore, we call an unclonable encryption scheme unclonable indistinguishable secure if the optimal value of this experiment is negligibly close to one-half. Since Aerson introduced copy protection, copy protection of point functions has remained an open problem. Aerson himself had proposed this scheme, but to date there is no formal security proof. In a recent work, the question was answered positively where the security was shown in the quantum random oracle model. The question in the plain model still remains open. We show that unclonable indistinguishable security, which was a stronger version of unclonable security, can be used to construct copy protection for point functions in the plain model. This result makes the feasibility of this stronger primitive an interesting question. One limitation of our construction is that it satisfies a slightly weaker notion of correctness called computational correctness, which states that a polynomial time adversaries will not run into input stat evaluating correctly. All in all, this presents a new direction to explore in trying to show copy protection of point functions. Let's move on to details. So, we'll first talk about the key reusability. In our private key construction, we make use of hybrid encryption. We take as granted a one-time unclonable encryption scheme and the post quantum private key encryption scheme. The first scheme can be instantiated by conjugate encryption of broadband and log, for example. And the idea is that we gain the best of both worlds, where unclonability comes from the first scheme and reusability from the second one. The key to our scheme will be the private key encryption key. And to encrypt that message, we will first generate an unclonable encryption key and encrypt the message using that key, as well as encrypt that key using the private key encryption key. The ciphertext will be the concatenation of these two ciphertexts, one of which is quantum. It is well known that hybrid encryption like this inherits semantic security from the outer layer encryption, PKE. As for unclonable security, a direct reduction, unfortunately, does not work due to the nature of the cloning experiment. Recall that in the second phase of the cloning experiment, the key is revealed, which makes it a challenge to invoke the semantic security of PKE. To overcome this issue, we've come up with a property which makes the encryption non-binding. FAKE KEY property states that, in the eyes of the adversary, a ciphertext key pair is indistinguishable from another pair where the encrypted message is zero and the key is the fake key generated using the ciphertext and the original message. Let's go back to the cloning experiment. Using the fake key properly, we will slightly modify this experiment to overcome our previous issue. In the next hybrid, we replace M by zero in the first phase and in the second phase, instead of revealing the original key, K, we reveal the fake key. The fake key property implies that the two hybrids do not differ in the adversary's success probability except for a negligible amount. So that all the remains to show is this modified experiment. Unlike before, the fake key is not alien to the reduction and it can be generated when simulating the challenger. Therefore, this finishes the security proof. In our paper, we instantiate this fake key property using pseudo-random functions. We follow the same philosophy in the public key setting. However, instead of the fake key property, we rely on functional encryption. This can be instantiated using post-condom public key encryption, which is truly necessary for public key unclonable encryption. We also make use of private key encryption with pseudo-random ciphertexts and please refer to the manuscript for the details. Let's move on to our next result. Before we start, let's establish some notation. The Weisner basis will be denoted by x raised to theta. And this means for an n-bit string theta and x, how the marked gate will be applied to certain qubits of x depending on theta. Conjugate encryption unclonable security is based on the BB-84 monogamy game, which we will define now. It's a security game between the challenger and an adversary which will denote by Bob and Charlie. The adversary starts by preparing a tripartite state and sending one of the registers to the challenger. And we will call n the size of the register of the challenger. And the rest of the state will be split between Bob and Charlie. And in the second phase, they're not allowed to communicate. And the challenger will measure its register on a random Weisner basis indexed by theta. And the goal is to predict this measurement outcome simultaneously as Bob and Charlie. Based on this conjugate encryption encodes the message using a one-time path followed by the conjugate encoding. And the conjugate coding provides unclonable security, which can be reduced to the security of this monogamy game. And it has been shown that the value of this monogamy game is exactly 0.85 to the n. And this value was used as an upper bound on the unclonable security of conjugate encryption by the authors using a reduction in the following form. You prepare an EPR state and apply the splitting map of Alice to the second half and share it across Bob and Charlie. And this reduction works without any security loss due to the fact that the EPR pair is basis independent when the bases in question are Weisner bases. Therefore, the entanglement does not break no matter what theta was chosen. We explored how to generalize this idea and we examined for what basis this basis independent EPR pair property still hold. And the answer to that is simple. If we have a collection of bases, which are linear combinations of the computational bases with real coefficients, then it turns out the property holds. And for any collection of bases like that, there is a monogamy game where instead of measuring on a random Weisner basis, the challenger will measure on a random basis chosen from this collection. And this results in our construction, which mimics conjugate encryption except for a general collection of real orthogonal bases. And using the same technique as Broad Benton Lord, we're able to show that we can reduce the security to the monogamy game. Therefore, this gives us a potential venue to explore meaningful upper bounds. For unclonable security. On the other hand, we can ask the question if there are lower bounds for the existing constructions, meaning explicit attacks. And turns out the answer is yes. Even though no cloning theorem rules out exact cloning, it turns out it's still possible to approximately clone structured quantum states. And any construction in our generalized conjugate encryption provided that it encrypts the message bitwise, just like in the original conjugate encryption. It is susceptible to a universal cloning attack which approximately clones every qubit of the cipher text. And has the adversaries tried to decrypt the message as if they had the original cipher text. Analysis shows that conjugate encryption is not good enough to achieve optimal security in this sense. And in general, our generalized conjugate encryption could only be useful for this purpose if the bases are sufficiently entangled. We're especially interested in optimal security of unclonability because Broad Benton Lord also showed that it implies unclonability and distinguishability which we use to construct copper protection. In the final portion of the talk, I will summarize our copper protection construction. Given an unclonable and distinguishable secure scheme, we consider a specific class of point functions and the distribution over this class depends also on a signature scheme. And the construction itself is very simple. To copy protect, we simply encrypt the signature using the key, which are parameters of the function. And we also give the verification key of the signature in the open. As previously mentioned, we can only guarantee computational correctness. However, computational correctness has been used in a slightly different context with classical VVB obfuscation. And it also captures the intuition that the client will not experience problems of incorrectness. It is also not that weak in the sense that it's stronger than the recently used notion called distribution correctness. However, one issue with this weaker notion of correctness is that, unlike per-input correctness, we cannot ensure the reusability of the program unless it's used honestly. It's important to note that due to the Q-ROM construction, before us, the search for unclonable and distinguishability needs to be in the plain model to be meaningful. And here are a couple of concurrent works which achieve similar results. We note that encryption with certified deletion is a weaker primitive, but the authors achieve classical deletion, therefore having comparable results. To summarize, our contributions can be presented as private key and public key unclonable encryption, which satisfy semantic security. And we analyze the unclonable security of conjugate encryption and provide a lower bound using a simple cloning attack. And in terms of upper bound, we don't have a concrete value, yet we open a new avenue for using monogamy of entanglement to achieve that. And finally, we show that the stronger primitive unclonable and distinguishability implies copper protection for point functions. And to build on this, the reusability can be extended to the unclonability setting, especially in the private key setting. And of course, to make our generalized construction meaningful, we hope that monogamy games that are better than the VBAv4 game will be discovered. And of course, the biggest open question is whether unclonability and distinguishability is feasible or not. And it turns out to be a particularly challenging problem. And one could also try to improve the computational correctness to statistical correctness. And that concludes my talk. Thank you for listening.