Abstract
Formulating cryptographic definitions to protect against software piracy is an important research direction that has not received much attention. Since natural definitions using classical cryptography are impossible to achieve (as classical programs can always be copied), this directs us towards using techniques from quantum computing. The seminal work of Aaronson [CCC’09] introduced the notion of quantum copy-protection precisely to address the problem of software anti-piracy. However, despite being one of the most important problems in quantum cryptography, there are no provably secure solutions of quantum copy-protection known for any class of functions.
We formulate an alternative definition for tackling software piracy, called secure software leasing (SSL). While weaker than quantum copy-protection, SSL is still meaningful and has interesting applications in software anti-piracy.
We present a construction of SSL for a subclass of evasive circuits (that includes natural implementations of point functions, conjunctions with wild cards, and affine testers) based on concrete cryptographic assumptions. Our construction is the first provably secure solution, based on concrete cryptographic assumptions, for software anti-piracy. To complement our positive result, we show, based on cryptographic assumptions, that there is a class of quantum unlearnable functions for which SSL does not exist. In particular, our impossibility result also rules out quantum copy-protection [Aaronson CCC’09] for an arbitrary class of quantum unlearnable functions; resolving an important open problem on the possibility of constructing copy-protection for arbitrary quantum unlearnable circuits.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
More generally, Aaronson considers the setting where the adversary gets multiple copies computing f and not just one.
- 2.
That is, there is no known reduction to concrete cryptographic assumptions.
- 3.
The person who leases the software to another.
- 4.
The person to whom the software is being leased to.
- 5.
Although the lessor will technically be the owner of the leased state.
- 6.
This denotes tracing out the second register.
- 7.
For instance, they could be engineers assigned to test whether the beta version contains bugs.
- 8.
Both the notions (quantum copy-protection and secure software leasing) are only meaningful for unlearnable functions: if a function is learnable, then one could learn the function from the quantum state and create another authenticated quantum state computing the same function.
- 9.
- 10.
A simulated proof is one that is generated by an efficient algorithm, called a simulator, who has access to some private coins that was used to generate the common reference string. Moreover, a simulated proof is indistinguishable from an honestly generated proof. A simulator has the capability to generate simulated proofs for YES instances even without knowing the corresponding witness for these instances.
- 11.
See [15] for a description of this simplified version.
References
How microsoft corporation makes most of its money. https://www.fool.com/investing/2017/06/29/how-microsoft-corporation-makes-most-of-its-money.aspx
Scott Aaronson. Shtetl-Optimized. Ask Me Anything: Apocalypse Edition. https://www.scottaaronson.com/blog/?p=4684#comment-1834174. Comment #283, Posted: 03–24-2020. Accessed 25 Mar 2020
Aaronson, S.: Quantum copy-protection and quantum money. In: 2009 24th Annual IEEE Conference on Computational Complexity, pp. 229–242. IEEE (2009)
Aaronson, S., Christiano, P.: Quantum money from hidden subspaces. In: Proceedings of the Forty-Fourth Annual ACM Symposium on Theory of Computing, pp. 41–60 (2012)
Aaronson, S., Liu, J., Zhang, R.: Quantum copy-protection from hidden subspaces. arXiv preprint arXiv:2004.09674 (2020)
Alagic, G., Brakerski, Z., Dulek, Y., Schaffner, C.: Impossibility of quantum virtual black-box obfuscation of classical circuits. arXiv preprint arXiv:2005.06432 (2020)
Alagic, G., Fefferman, B.: On quantum obfuscation. arXiv preprint arXiv:1602.01771 (2016)
Amos, R., Georgiou, M., Kiayias, A., Zhandry, M.: One-shot signatures and applications to hybrid quantum/classical authentication. Cryptology ePrint Archive, Report 2020/107 (2020)
Ananth, P., La Placa, R.L.: Secure quantum extraction protocols. Cryptology ePrint Archive, Report 2019/1323 (2019)
Barak, B.: How to go beyond the black-box simulation barrier. In: Proceedings 42nd IEEE Symposium on Foundations of Computer Science, pp. 106–115. IEEE (2001)
Barak, B., Bitansky, N., Canetti, R., Kalai, Y.T., Paneth, O., Sahai, A.: Obfuscation for evasive functions. In: Lindell, Yehuda (ed.) TCC 2014. LNCS, vol. 8349, pp. 26–51. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54242-8_2
Barak, B., et al.: On the (Im)possibility of obfuscating programs. In: Kilian, Joe (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_1
Ben-David, S., Sattath, O.: Quantum tokens for digital signatures. arXiv preprint arXiv:1609.09047 (2016)
Bitansky, N., Khurana, D., Paneth, O.: Weak zero-knowledge beyond the black-box barrier. In: Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing, pp. 1091–1102. ACM (2019)
Bitansky, N., Paneth, O.: On the impossibility of approximate obfuscation and applications to resettable cryptography. In: Proceedings of the Forty-Fifth Annual ACM Symposium on Theory of Computing, pp. 241–250 (2013)
Bitansky, N., Shmueli, O.: Post-quantum zero knowledge in constant rounds. In: STOC (2020)
Brakerski, Z.: Quantum FHE (Almost) as secure as classical. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10993, pp. 67–95. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_3
Brakerski, Z., Döttling, N., Garg, S.: and Giulio Malavolta. Circular-secure lwe suffices, Factoring and pairings are not necessary for io (2020)
Brakerski, Z., Perlman, R.: Lattice-based fully dynamic multi-key FHE with short ciphertexts. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 190–213. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_8
Broadbent, A., Grilo, A.B.: Zero-knowledge for qma from locally simulatable proofs. arXiv preprint arXiv:1911.07782 (2019)
Broadbent, A., Gutoski, G., Stebila, D.: Quantum one-time programs. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 344–360. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_20
Broadbent, A., Islam, R.: Quantum encryption with certified deletion. arXiv preprint arXiv:1910.03551 (2019)
Broadbent, A., Lord, S.: Uncloneable quantum encryption via random oracles. arXiv preprint arXiv:1903.00130 (2019)
Coladangelo, A.: Smart contracts meet quantum cryptography. arXiv preprint arXiv:1902.05214 (2019)
Coladangelo, A., Vidick, T., Zhang, T.: Non-interactive zero-knowledge arguments for qma, with preprocessing. arXiv preprint arXiv:1911.07546 (2019)
De Santis, A., Di Crescenzo, G., Ostrovsky, R., Persiano, G., Sahai, A.: Robust non-interactive zero knowledge. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 566–598. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_33
Farhi, E., Gosset, D., Hassidim, A., Lutomirski, A., Shor, P.: Quantum money from knots. In: Proceedings of the 3rd Innovations in Theoretical Computer Science Conference, pp. 276–289 (2012)
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS (2013)
Gavinsky, D.: Quantum money with classical verification. In: 2012 IEEE 27th Conference on Computational Complexity, pp. 42–52. IEEE (2012)
Gay, R., Pass, R.: Indistinguishability obfuscation from circular security. Technical report, Cryptology ePrint Archive, Report 2020/1010 (2020)
Gottesman, D.: Uncloneable encryption. Quant. Inf. Comput. 3(6), 581–602 (2003)
Goyal, R., Koppula, V., Waters, B.: Lockable obfuscation. In: FOCS (2017)
Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)
Lutomirski, A., et al.: Breaking and making quantum money: toward a new quantum cryptographic protocol. arXiv preprint arXiv:0912.3825 (2009)
Mahadev, U.: Classical homomorphic encryption for quantum circuits. In: 2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS), pp. 332–338. IEEE (2018)
Mahadev, U.: Classical verification of quantum computations. In: 2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS), pp. 259–267. IEEE (2018)
Sahai, A.: Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In: 40th Annual Symposium on Foundations of Computer Science (Cat. No. 99CB37039), pp. 543–553. IEEE (1999)
Wee, H., Wichs, D.: Candidate obfuscation via oblivious LWE sampling (2020)
Wichs, D., Zirdelis, G.: Obfuscating compute-and-compare programs under LWE. In: 2017 IEEE 58th Annual Symposium on Foundations of Computer Science (FOCS), pp. 600–611. IEEE (2017)
Wiesner, S.: Conjugate coding. ACM Sigact News 15(1), 78–88 (1983)
Zhandry, M.: Quantum lightning never strikes the same state twice. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 408–438. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_14
Acknowledgements
We thank Alex Dalzell and Aram Harrow for helpful discussions. During this work, RL was funded by NSF grant CCF-1729369 MIT-CTP/5204.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Related Work
A Related Work
Quantum Money and Quantum Lightning. Using quantum mechanics to achieve unforgeability has a history that predates quantum computing itself. Wiesner [40] informally introduced the notion of unforgeable quantum money – unclonable quantum states that can also be (either publicly or privately) verified to be valid states. A few constructions [3, 4, 27, 29, 34] achieved quantum money with various features and very recently, in a breakthrough work, Zhandry [41] shows how to construct publicly-verifiable quantum money from cryptographic assumptions.
Certifiable Deletion and Unclonable Encryption. Unclonability has also been studied in the context of encryption schemes. The work of Gottesman [31] studies the problem of quantum tamper detection. Alice can use a quantum state to send Bob an encryption of a classical message m with the guarantee that any eavsdropper could not have cloned the ciphertext. In a recent work, Broadbent and Lord [23] introduced the notion of unclonable encryption. Roughly speaking, an unclonable encryption allows Alice to give Bob and Charlie an encryption of a classical message m, in the form of a quantum state \(\sigma (m)\), such that Bob and Charlie cannot ‘split’ the state among them.
In a follow-up work, Broadbent and Islam [22], construct a one-time use encryption scheme with certifiable deletion. An encryption scheme has certifiable deletion property, if there is an algorithm to check that a ciphertext was deleted.
Quantum Obfuscation. Our proof of the impossibility of SSL is inspired by the proof of Barak et al. [10] on the impossibility of VBB for arbitrary functions. Alagic and Fefferman [7] formalized the notion of program obfuscation via quantum tools, defining quantum virtual black-box obfuscation (qVBB) and quantum indistinguishability obfuscation (qiO), as the natural quantum analogues to the respective classical notions (VBB and iO). They also proved quantum analogues of some of the previous impossibility results from [10], as well as provided quantum cryptographic applications from qVBB and qiO.
Quantum One-Time Programs and One-Time Tokens. Another related primitive is quantum one-time programs. This primitive wasn shown to be impossible by [21]. This rules out the possibility of having a copy-protection scheme where a single copy of the software is consumed by the evaluation procedure. Despite the lack of quantum one-time programs, there are constructions of secure ‘one-time’ signature tokens in the oracle models [8, 13]. A quantum token for signatures is a quantum state that would let anyone in possession of it to sign an arbitrary document, but only once. The token is destroyed in the signing process.
Recent Work on Copy-Protection. While finishing this manuscript, we became aware of very recent work on copy-protection. Aaronson et al. [5] constructed copy-protection for unlearnable functions relative to a classical oracle. Our work complements their results, since we show that obtaining copy-protection in the standard model (i.e., without oracles) is not possible.
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Ananth, P., La Placa, R.L. (2021). Secure Software Leasing. In: Canteaut, A., Standaert, FX. (eds) Advances in Cryptology – EUROCRYPT 2021. EUROCRYPT 2021. Lecture Notes in Computer Science(), vol 12697. Springer, Cham. https://doi.org/10.1007/978-3-030-77886-6_17
Download citation
DOI: https://doi.org/10.1007/978-3-030-77886-6_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-77885-9
Online ISBN: 978-3-030-77886-6
eBook Packages: Computer ScienceComputer Science (R0)