Copy Protection of Compute and Compare Programs

The example protocol achieves the functionality of Copy Protection allowing a Vendor to send a program to a Client such that the Client cannot duplicate it. This protocol, in particular, achieves copy-protection for 'compute-and-compare' programs.

Tags: Two Party Protocols, Quantum Functionality, Universal Task, Computational Security

Assumptions

• Vendor and Client are connected by quantum and classical channels
• Vendor can create and transmit BB84 states
• Client has the capability to perform universal quantum computation

Outline

Any Copy Protection protocol consists of two algorithms: Protect and Eval. For the family of compute-and-compare programs, these algorithms are described as follows:

• Protect: The Vendor encodes the required qubits into BB84 states using the program description. The Vendor then calculates the output of some hash function on the program description as input. The encoded qubits and the hashed description are sent to the Client as output.
• Eval: The Client decrypts the received qubits using the input on which they wish to evaluate the program. Using these qubits as inputs, the Client computes the same hash function (on ancillary qubits) and coherently compares it with the hashed description received from the vendor. The Client finally measures and outputs the result of the comparison.

Notation

• ${\displaystyle P_{y}}$ : The point function to be copy-protected in Protocol 1. ${\displaystyle P_{y}}$ is completely specified by a string of ${\displaystyle n}$ bits, ${\displaystyle y}$. ${\displaystyle P_{y}(x)=1}$ if ${\displaystyle x=y}$ and ${\displaystyle 0}$ otherwise
• ${\displaystyle CC[f,y]}$ : The compute-and-compare program to be copy-protected in Protocol 2. It is completely specified by an efficiently computable function ${\displaystyle f:\{0,1\}^{n}\rightarrow \{0,1\}^{m}}$ and a string of ${\displaystyle m}$ bits, ${\displaystyle y}$. ${\displaystyle CC[f,y](x)}$ is ${\displaystyle 1}$ if ${\displaystyle f(x)=y}$ and ${\displaystyle 0}$ otherwise.
• ${\displaystyle n}$ : Size of input string ${\displaystyle x}$
• ${\displaystyle \lambda }$: Security parameter
• ${\displaystyle G:\{0,1\}^{n}\rightarrow \{0,1\}^{m(\lambda )}}$ (Hash function)
• ${\displaystyle H:\{0,1\}^{m(\lambda )}\rightarrow \{0,1\}^{\lambda }}$ (Hash function)
• ${\displaystyle |x^{\theta }\rangle =H^{\theta }|x\rangle =H^{\theta _{1}}\otimes ...\otimes H^{\theta _{\lambda }}|x\rangle }$, where ${\displaystyle \theta }$ is a ${\displaystyle \lambda }$-bit string ${\displaystyle \theta _{1},...,\theta _{\lambda }}$

Protocol Description

First, we define a protocol for copy-protection of point functions. This protocol can then be extended to a protocol for compute-and-compare programs.

Protocol 1 - Copy protection of point functions

PF-Protect(${\displaystyle \lambda ,y}$)

Inputs: ${\displaystyle \lambda }$ - security parameter; ${\displaystyle y}$ - description of point function ${\displaystyle P_{y}}$

• Set ${\displaystyle \theta =G(y)}$
• Sample ${\displaystyle v\leftarrow \{0,1\}^{m(\lambda )}}$ uniformly at random
• Let ${\displaystyle z=H(v)}$
• Output (${\displaystyle |v^{\theta }\rangle ,z}$)

PF-Eval(${\displaystyle \lambda ,(\rho ,z),x}$)

Inputs: ${\displaystyle \lambda }$ - security parameter; ${\displaystyle (\rho ,z)}$ - Alleged copy-protected program; ${\displaystyle x}$ - Input on which the program is to be evaluated

• Set ${\displaystyle \theta ^{\prime }=G(x)}$
• Apply the Hadamard operator ${\displaystyle H^{\theta ^{\prime }}}$ to ${\displaystyle \rho }$
• Append ${\displaystyle n+1}$ ancillary qubits to ${\displaystyle \rho }$, all in state ${\displaystyle |0\rangle }$
• Compute the hash function ${\displaystyle H}$ onto the first ${\displaystyle n}$ ancillary qubits with ${\displaystyle \rho }$ as input
• Coherently measure whether the first ${\displaystyle n}$ ancilla qubits are in state ${\displaystyle |z\rangle }$, recording the result in the last ancilla qubit
• Uncompute the hash function ${\displaystyle H}$ and undo the Hadamards ${\displaystyle H^{\theta ^{\prime }}}$
• Measure the last ancilla qubit to obtain a bit ${\displaystyle b}$ as output

Protocol 2 - Copy protection of compute-and-compare programs

CC-Protect(${\displaystyle \lambda ,(f,y)}$)

Inputs: ${\displaystyle \lambda }$ - security parameter; ${\displaystyle (f,y)}$ - description of compute-and-compare program ${\displaystyle CC[f,y]}$

• Let ${\displaystyle \rho =}$ PF-Protect(${\displaystyle \lambda ,y}$)
• Output (${\displaystyle f,\rho }$)

CC-Eval(${\displaystyle \lambda ,(f,\rho ),x}$)

Inputs: ${\displaystyle \lambda }$ - security parameter; ${\displaystyle (f,\rho )}$ - Alleged copy protected program; ${\displaystyle x}$ - Input on which the program is to be evaluated

• Compute ${\displaystyle y^{\prime }=f(x)}$
• Let ${\displaystyle b\leftarrow }$ PF-Eval(${\displaystyle \lambda ,\rho ,y^{\prime }}$). Output ${\displaystyle b}$.

Properties

• Both protocols have provable non-trivial security in the quantum random oracle model. Informally, a query bounded adversary fails at pirating with at least some constant probability.
• The Client should be able to perform universal quantum computation in order to compute the hash function ${\displaystyle H}$
• The protected programs obtained in both protocols allow polynomially-many evaluations (as we evaluate the copy-protected programs reversibly).
• Protocol 1 also satisfies the primitive of Virtual Black Box Obfuscation
• By adding a verification step, Protocol 2 can be extended to the weaker primitive of Secure Software Leasing. This protocol for Secure Software Leasing does however provide a standard level of security, i.e. the adversarial success probability is negligible in the security parameter.

Further Information

For the security proof and extension of the protocols to other functionalities, refer to the same paper by Coladangelo et al. (2020)