 Hi, everyone. I'm going to talk about new approaches for quantum copy protection. This is joint work with Scott Harrison, Chi-Peng Liu, Mark Jendri and Richard Zhang. As we know, quantum node cloning principle does not allow us to copy an arbitrary quantum state, and this property leads to some applications in quantum cryptography. One famous example is quantum money. A quantum money state encodes the money value and the serial number. A valid money state can get verified by the bank, but the user with one copy of money state cannot produce two copies that both pass verifications. And we wonder can we leverage such a scheme to encode more complex, clonable classical information to unclonable quantum information? Harrison in 2009 put forward quantum copy protection. A copy protection algorithm turns a classical function f into a quantum state. This state can be used to run on any input such that you get the same evaluation as the original function. But the polynomial time bounded adversary cannot turn this state into two states that both compute the function f correctly. Harrison also gave a first construction for copy protection for any unlearnable function using a quantum oracle. So what's a unlearnable function? An unlearnable family function is a family functions that cannot be learned through its input of behavior by a polynomial time adversary. And here specifically we mean quantum poly time adversary. It's clear that if a function is learnable it can never be copy protected because the adversary can just recover the functionality from the program by learning it no matter how you do copy protection to the program. Thus, we only care about copy protecting unlearnable functions. One drawback of Harrison scheme is that quantum oracle is a strong assumption. Quantum oracles implement functionalities of quantum circuits while classical oracles implement classical circuits. Both kinds of oracles can be heuristic implemented by cryptography assumption called virtual black box of fascination, which scrambles a program and make it no different from accessing an oracle to the adversary. Both of these assumptions are strong, but a fascination for quantum circuits due yet a stronger assumption than the classical one. And of course quantum oracles in the eyes of the complexity theorists is in general much stronger tool. Therefore, Harrison in 2009 asked if we can build quantum copy protection using only a classical oracle. And we give a positive read answer to this question in our results. And our main results can be divided into three parts, we will talk about this construction relative to classical oracle in the second part. And before that, we briefly go through some improvement upon the definitions. Firstly, we take a look at the basic algorithms of a quantum copy protection scheme. The setup algorithm generates a secret key. The general algorithm takes in the function f we want to copy protect and the secret key and outputs a quantum program which consists of a unitary description, as well as a quantum state. And from now on, whenever we describe a quantum program, we would use these two components, a unitary and a state to be represented. Here, notice that we also separate setup at January procedures because we want to specify that secret key generation is usually independent of the function. The evil algorithm takes in the quantum program and the input, it outputs the measurement result of the output register and the remaining state after evaluation. Next, we give an attempt security definition and explains issues. First, we have correctness requirement. Of course, given an honestly generated program will want evaluation to be correct with probability almost one for all inputs. And next, we define anti-parasites through a security game. The quantum polynomial time adversary is given one copy of the authentic program. Then the adversary tries to produce two pyro programs and gives to the challenger. It wins if both of these programs evaluate the function correctly with large enough probability over the input distribution correlated with the function. We want any QPT adversary to win with only negligible probability. When evaluating the pyro programs, we would completely ignore any instructions given in the authentic program, but just use the universal circuit that run on the pyro's program unitary and state. We want to emphasize this property because later on, we would compare it with some other weaker circuit notions. So what are some issues with this security game? In the classical setting, we would typically have the challenger estimate the fraction of correct evaluations by picking a large enough number of inputs at random or from an appropriate distribution running the copy protected program on these inputs and computing the fraction of correct evaluations. However, in the quantum setting, when the challenger only gets a single copy of the program, each evaluation may alter the pyro program irreversibly because we cannot assume we can do gentle measurement to the pyro programs like we do to the honestly generated programs. Estimating the fraction of inputs on these pyro programs that compute correctly is not generally possible. The next problem is how we define a success probability of pyro programs on the physical level. So imagine an adversary who sends such the following state to the challenger. Here the good state is a program that evaluates perfectly every input and the dummy state is a user's program. Using this state, evaluation is successful on any input with probability one half. But it is impossible to have a procedure that estimates the average success probability of evaluation to very high precision. Because this procedure would imply a procedure that help us distinguish perfectly the superposition of good and dummy away from the good state or from the dummy state. So we don't know how we can label this program successful or not. This is impossible in general since the two states are unorthogonal and have large overlap. And finally we give one more example. So consider the following program entangled in such a way that with epsilon probability we get both programs as good with one minus epsilon probability we get both programs as dummy. Since the probability that we measure and get good good is noticeable, this program should probably be considered as a successful attack in some settings, which were not considered in the past definitions. So how do we test a quantum program properly in the security game. On a high level, we define a new procedure that consists of applying an appropriate projected measurement, which measures the success probability of the testing state under the testing input distribution. After we apply this procedure, leftover program is still a successful program with probability P. Even though this leftover program is far from the original program state, but the success probability is preserved. Such a measurement will not extract the exact success probability of the program of course, as we mentioned before, if we want to be efficient. So we can approximate it using some techniques from Merritt Virtuous 2005 and January 2020. And finally we can see how we decided for quantum adversary wins the above scale. At the beginning the challenger sets a threshold gamma that applied the measurement procedure to each of the pyro programs P1 P2 respectively will accept a pyro program if the success probability is greater than gamma. So the adversary wins if both our probabilities are greater than gamma. And this gamma threshold chosen depending on the family functions we try to copy protect and other factors related to applications or situations when we use copy protection. So in summary, the circuit definition has the following properties. It's a physically meaningful testing procedure with efficient approximate implementations. It implies the attempt definition we mentioned. And it's a useful tool. It actually helps the adiparacy security proofs go through in this paper and later work. So it's a reduction friendly definition. The next comes to our result for construction. We give a construction to copy protect any unlearnable functions using a classical oracle. Our overall high level idea is inspired by hidden subspace from Harrison Cristiano's public key quantum money scheme in 2012. A hidden subspace a is a secret subspace randomly chosen by the challenger. It has exponentially many elements, but still exponentially small compared to the full space, which is for example, and dimensional vector space over the finite field of two. Subspace state cat a is an equal superposition of elements in a and subspace states have have the following properties. If we do QFT to the state. We get it to subspace state with vectors in a perp. Moreover, we should consider the following problem. When we give a quantum adversary, one copy of state a and access to membership oracles for a and a perp, which check if the input vector is in a and if the input vectors in a perp respectively outputs one if only if the input vector is in the subspace such a quantum bounded polynomial in terms of queries cannot produce two vectors, one in a and one in a perp in a perp and both are not zero. And our security will rely on this probably hard problem. And protection construction for F consists of one copy of the subspace state a and two oracles. So each oracle checks if a part of the input is in a or in a perp respectively, and then gives a secret share of the function f evaluated on x. That is, the first oracle gives a random function evaluation x, and the second oracle gives the random valuation x sword with effects. To evaluate the program, the user first inputs the subspace state into oracle one and measures the output. And by the gender measure measurement level, the remaining state is still good for use, then the user applies qft to the state and obtains the due subspace state inputs into the second program and measures the output register. So we can explore the two output values we obtained together and give us fx. I will explain the security proof on a high level. So suppose an adversary is able to produce two programs that both successfully pass the test that we can do reduction to break either one of the four of our either one of our underlying hard problems. In the first case, we can extract the vector v in a from the first pilot program and extract the vector u in a perp from the second pilot program. And if the second case doesn't happen, we show that we're definitely in the, in the second case, where we can use one of the pilot programs to break the other ability of f. To argue, actually, when we when the adversary makes the programs entangled to argue that we can extract a vector from each of the pilot programs. However, in our paper, we can actually rule out this possible this possible attack by a careful analysis in the reduction. Please refer to the details in the paper. So now we already have an oracle construction, we probably wonder if we can move to a construction using more practical cryptography assumptions. Unfortunately, we do have a barrier in the plane model, when we want to remove the oracles. A concovering work shows that using a post quantum cryptography assumption called learning with errors and the quantum fully homomorphic encryption scheme. We can build a circuit that is un-learnable, but can never be copied protected. Here, learning with errors is believably post quantum and quantum FHE can actually be built on LWE but a full scale quantum FHE cannot be built on LWE alone. We need some secure security assumptions. So in the face of this barrier, the next achievable directions are, first, consider weakening the security notions. Are there weaker but meaningful security notions for quantum copy protection that we can do better? And the second direction is of course we don't relax the security requirement, but we consider copy protecting specific and smaller classes of functions. For example, there are some follow-up works which gives construction for copy protecting point functions and extending to compute and compare functions in the random oracle model and copy protecting PRFs and decryption. But we will focus on the first direction here in terms of the results in our paper. Before talking about our result, we want to mention that in the same paper that gives the impossibility result, the authors also give a weakened security notion for copy protection. This notion is called Secure Software Leasing. In the high level, the security notion can be described as malicious pirate on its free loader. The pirate can do anything to make pirate copies of the program, but any free loader, the person who gets a pirate copy and wants to use it, is honest. They will follow the instructions of how to run the program published by the Authentic Software vendor. Therefore, when we test if a pirate program is successful, we use the evaluation function, evaluation algorithm published by the vendor. This is in contrast to what we mentioned before for copy protection. In copy protection, we just use a universal quantum circuit to run on any unitary and a quantum state given by the adversary. SSL, Secure Software Leasing, is actually a weaker security notion in that we restrict the possible attacks from the pirate by asking him to produce pirate programs that will only run correctly only when we use evaluation instructions. Therefore, we can, for example, add some validated checks in the evaluation algorithm so that only certain quantum states will pass this check and continue to output the evaluation of the function. Otherwise, you don't get to output anything. In general, even though SSL actually still does not get a running the general possibility result for copy protection, it makes it easier for us to build construction for specific families of functions in the plane model without oracles. For example, in the same paper AL20, they give the construction for subclass of evasive functions called computing and compare, which is an extension, as we mentioned before, of point functions. And finally comes to our third result. We also give a new security notion inspired by SSL. We also put forward this notion called copy detection. Instead of allowing the adversary to win with any pirate programs that compute correctly. They also need to pass an additional test that tries to check if the programs are pirate copies, not authentic ones. So the adversary not only needs to produce programs that compute F, but also programs with certain features so that they won't be found out as pirates. More specifically, we have additional algorithm called check and additional generation of public key corresponding to the secret key we generated for the copy protection. The check algorithm takes in the public key and the claimed program and outputs a bit indicating whether the program has passed this validity check. Finally, the anti-parasite security is just adding this check procedure to testing of the pirate programs. We first apply check using the public key on the program and then proceed to test its functionality and only if the program has first passed the check. Using this notion, we can build copy protection scheme for any watermarkable functions. Combined with the security of public key quantum money. And for watermarking, watermarking is a classical cryptography tool that allows you to embed the watermark into the functions and no adversary can remove this watermark while not damaging the functionality. So watermarkable functions actually include a number of families of cryptography functions such as PRFs, public key encryption and signatures. So we can do copy detection for large families of functions and what's our comparison with the security of SSL. So we want to emphasize that one main difference is we emphasize the public detectability of our scheme and anyone with the public key can detect the program, whether it's pirated or not. Even without any knowledge of functionality and this is guaranteed by the security of public key quantum money and public extractable watermarking. And generally, believe the two notions are actually have the same level of security. For example, if we combine check algorithm in the copy detection together with the universal circuit evaluation for quantum program, we can get the evaluation algorithm as required in the SSL scheme. And another concurrent work achieves security software leasing for PRFs from LWE. They make some similar observation on the use of watermarking and quantum money. And they use a semi public key quantum money because they observe that the security of SSL does not require a fully public key quantum money scheme. And another follow up work this year. It achieves the average correct and information theoretically secure SSL scheme for compute and compare functions. And finally, we give some open problems. First, watermark ability seems to be an important property for functions that can be copy detected or secure software leased. We can actually lift any watermarkable functions to be copy protected as well. But of course we may need stronger cryptography hammers at the same time. And second, can we achieve inclusion resistance for copy protection. When we give out K copies to the adversary and he cannot generate K plus one copies for some polynomial key. So if public key quantum money and secure software leasing, actually it's easy to showcase inclusion resistance, for example by adding a digital signature to the money scheme or assuming inclusion resistant watermarking scheme for the secure software leasing. However, in copy protection, it's not clear how we can prove the security, even for the Oracle setting. And that's it. Thank you.