Copy Protection of Compute and Compare Programs
The example protocol achieves the functionality of Copy Protection allowing a Vendor to send a program to a Client such that the Client cannot duplicate it. This protocol, in particular, achieves copy-protection for 'compute-and-compare' programs.
Tags: Two Party Protocols, Quantum Functionality, Universal Task, Computational Security
- Vendor and Client are connected by quantum and classical channels
- Vendor can create and transmit BB84 states
- Client has the capability to perform universal quantum computation
Any Copy Protection protocol consists of two algorithms: Protect and Eval. For the family of compute-and-compare programs, these algorithms are described as follows:
- Protect: The Vendor encodes the required qubits into BB84 states using the program description. The Vendor then calculates the output of some hash function on the program description as input. The encoded qubits and the hashed description are sent to the Client as output.
- Eval: The Client decrypts the received qubits using the input on which they wish to evaluate the program. Using these qubits as inputs, the Client computes the same hash function (on ancillary qubits) and coherently compares it with the hashed description received from the vendor. The Client finally measures and outputs the result of the comparison.
- : The point function to be copy-protected in Protocol 1. is completely specified by a string of bits, . if and otherwise
- : The compute-and-compare program to be copy-protected in Protocol 2. It is completely specified by an efficiently computable function and a string of bits, . is if and otherwise.
- : Size of input string
- : Security parameter
- (Hash function)
- (Hash function)
- , where is a -bit string
First, we define a protocol for copy-protection of point functions. This protocol can then be extended to a protocol for compute-and-compare programs.
Protocol 1 - Copy protection of point functions
Inputs: - security parameter; - description of point function
- Sample uniformly at random
- Output ()
Inputs: - security parameter; - Alleged copy-protected program; - Input on which the program is to be evaluated
- Apply the Hadamard operator to
- Append ancillary qubits to , all in state
- Compute the hash function onto the first ancillary qubits with as input
- Coherently measure whether the first ancilla qubits are in state , recording the result in the last ancilla qubit
- Uncompute the hash function and undo the Hadamards
- Measure the last ancilla qubit to obtain a bit as output
Protocol 2 - Copy protection of compute-and-compare programs
Inputs: - security parameter; - description of compute-and-compare program
- Let PF-Protect()
- Output ()
Inputs: - security parameter; - Alleged copy protected program; - Input on which the program is to be evaluated
- Let PF-Eval(). Output .
- Both protocols have provable non-trivial security in the quantum random oracle model. Informally, a query bounded adversary fails at pirating with at least some constant probability.
- The Client should be able to perform universal quantum computation in order to compute the hash function
- The protected programs obtained in both protocols allow polynomially-many evaluations (as we evaluate the copy-protected programs reversibly).
- Protocol 1 also satisfies the primitive of Virtual Black Box Obfuscation
- By adding a verification step, Protocol 2 can be extended to the weaker primitive of Secure Software Leasing. This protocol for Secure Software Leasing does however provide a standard level of security, i.e. the adversarial success probability is negligible in the security parameter.
For the security proof and extension of the protocols to other functionalities, refer to the same paper by Coladangelo et al. (2020)