Document Sample

Quantum Software Copy-Protection | Scott Aaronson (MIT) Many people have a legitimate interest in keeping their intellectual property from being copied… “But if quantum mechanics “Well, from my isn’t physics in the usual perspective, it’s about sense—if it’s not about information, probabilities, matter, or energy, or waves— and observables, and how then what is it about?” they relate to each other.” Classically: Giving someone a program that they can use but not copy is fundamentally impossible (tell that to Sony/BMG…) Quantumly: Well, it’s called the “No-Cloning Theorem” for a reason… Question: Given a Boolean function f:{0,1}n{0,1}, can you give your customers a state |f that lets them evaluate f, but doesn’t let them prepare more states from which f can be evaluated? “Can they use the state more than once?” Answer: Certainly, if they buy poly(n) copies of it Note: We’re going to have to make computational assumptions Example where quantum copy-protection seems possible Consider the class of point functions: fs(x)=1 if x=s, fs(x)=0 otherwiseThis scheme is provably secure, Theorem: under the assumption that that 2=e. broken. Encode s by a permutation such it can’t beChoose 1,…,k uniformly at random. Then give your customers (Assumption is the following state: related to, but stronger than, the hardness of the Hidden Subgroup Problem over Sn) 1 1 k k 2 2 Given any permutation ’, I claim one can use | to test whether ’= with error probability 2-k On the other hand, | doesn’t seem useful for preparing additional states with the same property Example where quantum copy- protection is not possible Let G be a finite group, for which we can efficiently prepare |G (a uniform superposition over the elements) Let H be a subgroup with |H| |G|/polylog|G| Given |H, Watrous showed one can efficiently decide membership in H Given an element xG, check whether H|Hx is 0 or 1 Furthermore: given a program to decide membership in H, one can efficiently prepare |H First prepare |G, then postselect on membership in H Conclusion: Any program to decide membership in H can be pirated! But apparently, only by a “fully quantum pirate” Speculation: Every class of functions can be quantumly copy-protected, except the ones that can’t for trivial reasons (i.e., the ones that are “quantumly learnable from inputs and outputs”) Main Result [A. 2034]: There exists a “quantum oracle” relative to which this speculation is correct Thus, even if it isn’t, we won’t be able to prove that by any “quantumly relativizing technique” Second application of my proof techniques [Mosca-Stebila]: Provably unforgeable “quantum money” (Provided there’s a quantum oracle at the cash register) Handwaving Proof Idea For each circuit C, choose a “meaningless quantum label” |C uniformly at random Our quantum oracle will map |C|x|0 to |C|x|C(x) (and also |C|0 to |C|C) Intuitively, then, having |C is “just the same as” having a black box for C Goal: Show that if C is not learnable, then |C can’t be pirated To prove this, we need to construct a simulator, which takes any quantum algorithm that pirates |C, and converts it into an algorithm that learns C Ingredient #1 in the simulator construction: “Complexity-Theoretic No-Cloning Theorem” Theorem: Suppose a quantum algorithm is given an n- qubit state |, and can also access a quantum oracle U that “recognizes” | (i.e., U| = -| and U| = | for all |=0). Then the algorithm still needs ~2n/2 queries to U to prepare any state having non-negligible overlap with || Observation: Contains both the No-Cloning Theorem and the optimality of Grover search as special cases! Proof Idea: A new generalization of Ambainis’s quantum adversary method, to the case where the starting state already has some information about the answer Ingredient #2: Pseudorandom States n 1 x 1 p0 x p 2 xGF 2 n where p is a degree-d univariate polynomial over GF(2n) for some d=poly(n), and p0(x) is the “leading bit” of p(x) Clearly the |p’s can be prepared in polynomial time Lemma: If p is chosen uniformly at random, then |p “looks like” a completely random n-qubit state - Even if we get polynomially many copies of |p - Even if we query the quantum oracle, which depends on |p So the simulator can use |p’s in place of |C’s r Future Directions r Get rid of the oracle! Clarify the relationship between copy-protection and obfuscation The “constant error regime”: what is information-theoretically possible?

DOCUMENT INFO

Shared By:

Categories:

Tags:
How to, hard disk, DVD movies, file copy, online dictionary, carbon copy, file system, operating system, copy command, Price Range

Stats:

views: | 36 |

posted: | 2/1/2011 |

language: | English |

pages: | 10 |

OTHER DOCS BY liwenting

How are you planning on using Docstoc?
BUSINESS
PERSONAL

By registering with docstoc.com you agree to our
privacy policy and
terms of service, and to receive content and offer notifications.

Docstoc is the premier online destination to start and grow small businesses. It hosts the best quality and widest selection of professional documents (over 20 million) and resources including expert videos, articles and productivity tools to make every small business better.

Search or Browse for any specific document or resource you need for your business. Or explore our curated resources for Starting a Business, Growing a Business or for Professional Development.

Feel free to Contact Us with any questions you might have.