Docstoc

copy

Document Sample
copy Powered By Docstoc
					Quantum Software
 Copy-Protection



      |

  Scott Aaronson (MIT)
 Many people have a legitimate interest in
 keeping their intellectual property from
             being copied…




 “But if quantum mechanics            “Well, from my
  isn’t physics in the usual      perspective, it’s about
   sense—if it’s not about      information, probabilities,
matter, or energy, or waves—   and observables, and how
    then what is it about?”    they relate to each other.”
Classically: Giving someone a program that they can
use but not copy is fundamentally impossible
      (tell that to Sony/BMG…)
Quantumly: Well, it’s called the “No-Cloning Theorem”
for a reason…
Question: Given a Boolean function f:{0,1}n{0,1},
can you give your customers a state |f that lets them
evaluate f, but doesn’t let them prepare more states
from which f can be evaluated?
“Can they use the state more than once?”
      Answer: Certainly, if they buy poly(n) copies of it
Note: We’re going to have to make computational
assumptions
 Example where quantum copy-protection
            seems possible
Consider the class of point functions: fs(x)=1 if x=s,
fs(x)=0 otherwiseThis scheme is provably secure,
     Theorem:
     under the assumption that that 2=e. broken.
Encode s by a permutation  such it can’t beChoose
1,…,k uniformly at random. Then give your customers
     (Assumption is
the following state: related to, but stronger than, the
     hardness of the Hidden Subgroup Problem over Sn)
                  1   1            k   k
                            
                       2                    2
Given any permutation ’, I claim one can use | to test
whether ’= with error probability 2-k
On the other hand, | doesn’t seem useful for preparing
additional states with the same property
        Example where quantum copy-
          protection is not possible
Let G be a finite group, for which we can efficiently prepare
|G (a uniform superposition over the elements)
Let H be a subgroup with |H|  |G|/polylog|G|
Given |H, Watrous showed one can efficiently decide
membership in H
      Given an element xG, check whether H|Hx is 0 or 1
Furthermore: given a program to decide membership in H,
one can efficiently prepare |H
      First prepare |G, then postselect on membership in H
Conclusion: Any program to decide membership in H can
be pirated!
       But apparently, only by a “fully quantum pirate”
Speculation: Every class of functions can be
quantumly copy-protected, except the ones that
can’t for trivial reasons
(i.e., the ones that are “quantumly learnable from inputs and outputs”)

Main Result [A. 2034]: There exists a “quantum
oracle” relative to which this speculation is correct
Thus, even if it isn’t, we won’t be able to prove that
by any “quantumly relativizing technique”
Second application of my proof techniques
[Mosca-Stebila]: Provably unforgeable “quantum
money”
  (Provided there’s a quantum oracle at the cash register)
Handwaving Proof Idea
For each circuit C, choose a “meaningless quantum
label” |C uniformly at random
Our quantum oracle will map |C|x|0 to |C|x|C(x)
      (and also |C|0 to |C|C)
Intuitively, then, having |C is “just the same as” having
a black box for C
Goal: Show that if C is not learnable, then |C can’t be
pirated
To prove this, we need to construct a simulator, which
takes any quantum algorithm that pirates |C, and
converts it into an algorithm that learns C
 Ingredient #1 in the simulator construction:
“Complexity-Theoretic No-Cloning Theorem”
Theorem: Suppose a quantum algorithm is given an n-
qubit state |, and can also access a quantum oracle U
that “recognizes” | (i.e., U| = -| and U| = | for
all |=0). Then the algorithm still needs ~2n/2 queries
to U to prepare any state having non-negligible overlap
with ||
Observation: Contains both the No-Cloning Theorem
and the optimality of Grover search as special cases!
Proof Idea: A new generalization of Ambainis’s quantum
adversary method, to the case where the starting state
already has some information about the answer
Ingredient #2: Pseudorandom States

                   n 1 x
             1            p0  x 
      p 
              2 xGF 2 
               n

where p is a degree-d univariate polynomial over GF(2n)
for some d=poly(n), and p0(x) is the “leading bit” of p(x)

Clearly the |p’s can be prepared in polynomial time
Lemma: If p is chosen uniformly at random, then |p
“looks like” a completely random n-qubit state
- Even if we get polynomially many copies of |p
- Even if we query the quantum oracle, which depends on |p
So the simulator can use |p’s in place of |C’s
   r      Future Directions            r
Get rid of the oracle!

Clarify the relationship between copy-protection
and obfuscation

The “constant error regime”: what is
information-theoretically possible?

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:36
posted:2/1/2011
language:English
pages:10