Quantum one-time programs

A one-time program is a hypothetical device by which a user may evaluate a circuit on exactly one input of his choice, before the device self-destructs. One-time programs cannot be achieved by software alone, as any software can be copied and re-run. However, it is known that every circuit can be compiled into a one-time program using a very basic hypothetical hardware device called a one-time memory. At first glance it may seem that quantum information, which cannot be copied, might also allow for one-time programs. But it is not hard to see that this intuition is false: one-time programs for classical or quantum circuits based solely on quantum information do not exist, even with computational assumptions. This observation raises the question, “what assumptions are required to achieve one-time programs for quantum circuits?” Our main result is that any quantum circuit can be compiled into a one-time program assuming only the same basic one-time memory devices used for classical circuits. Moreover, these quantum one-time programs achieve statistical universal composability (UC-security) against any malicious user. Our construction employs methods for computation on authenticated quantum data, and we present a new quantum authentication scheme called the trap scheme for this purpose. As a corollary, we establish UC-security of a recent protocol for delegated quantum computation. A one-time program (OTP) for a function f , as introduced in Ref. [8], is a cryptographic primitive by which a user may evaluate f on only one input chosen by the user at run time. No adversary, after evaluating the one-time program on x, should be able to learn anything about f(x′) for any x′ 6 = x beyond what can be inferred from f(x). One-time programs cannot be achieved by software alone, as any classical software can be be re-run. Thus, any hope of achieving any one-time property must necessarily rely on an additional assumptions such as secure hardware or quantum mechanics; in particular, computational assumptions alone will not suffice. Classically, it has been shown [8, 9] how to construct a one-time program for any function f using a hypothetical hardware device called a one-time memory (OTM). An OTM is non-interactive idealization of oblivious transfer: it stores two secret strings (or bits) s0, s1; a receiver can specify a bit c, obtain sc, and then the OTM self-destructs so that sc is lost forever. OTMs are an attractive minimal hardware assumption; their specification is independent of any specific function f , so they could theoretically be mass-produced. OTPs are a special form of non-interactive secure two-party computation [9], in which two parties evaluate a publicly known function f(x, y) as follows: the sender uses her input string x to prepare a program p(x) for the receiver, who uses this program and his input y to compute f(x, y). A malicious receiver should not be able to learn anything about f(x, y′) beyond what can be inferred from f(x, y). We use the term “OTP” interchangeably with “non-interactive secure two-party computation”. In this paper we study quantum one-time programs (QOTPs), in which the sender and receiver evaluate a publicly known channel Φ : (A,B)→ C specified by a quantum circuit acting on registers A ∗An extended abstract will appear in the proceedings of CRYPTO 2013 and is available at Cryptology ePrint Archive: Report 2013/343. A full version dated November 6, 2012 can be found at arXiv:1211.1080.

[1]  Yuval Ishai,et al.  Founding Cryptography on Tamper-Proof Hardware Tokens , 2010, IACR Cryptol. ePrint Arch..

[2]  Scott Aaronson,et al.  Quantum money from hidden subspaces , 2012, STOC '12.

[3]  Joseph Fitzsimons,et al.  Composable Security of Delegated Quantum Computation , 2013, ASIACRYPT.

[4]  Scott Aaronson,et al.  Quantum Copy-Protection and Quantum Money , 2009, 2009 24th Annual IEEE Conference on Computational Complexity.

[5]  Yael Tauman Kalai,et al.  One-Time Programs , 2008, CRYPTO.

[6]  Avinatan Hassidim,et al.  Secure Multiparty Quantum Computation with (Only) a Strict Honest Majority , 2006, 2006 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS'06).

[7]  Louis Salvail,et al.  Actively Secure Two-Party Evaluation of Any Quantum Operation , 2012, CRYPTO.

[8]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[9]  M. Mosca,et al.  Quantum Coins , 2009, 0911.1295.

[10]  Elad Eban,et al.  Interactive Proofs For Quantum Computations , 2017, 1704.04487.