How to Use Quantum Indistinguishability Obfuscation

Quantum copy protection, introduced by Aaronson, enables giving out a quantum program-description that cannot be meaningfully duplicated. Despite over a decade of study, copy protection is only known to be possible for a very limited class of programs. As our first contribution, we show how to achieve"best-possible"copy protection for all programs. We do this by introducing quantum state indistinguishability obfuscation (qsiO), a notion of obfuscation for quantum descriptions of classical programs. We show that applying qsiO to a program immediately achieves best-possible copy protection. Our second contribution is to show that, assuming injective one-way functions exist, qsiO is concrete copy protection for a large family of puncturable programs -- significantly expanding the class of copy-protectable programs. A key tool in our proof is a new variant of unclonable encryption (UE) that we call coupled unclonable encryption (cUE). While constructing UE in the standard model remains an important open problem, we are able to build cUE from one-way functions. If we additionally assume the existence of UE, then we can further expand the class of puncturable programs for which qsiO is copy protection. Finally, we construct qsiO relative to an efficient quantum oracle.


Introduction
A copy-protected program is one that can be evaluated by a user on arbitrary inputs, but not duplicated into a second, functionally equivalent program.Since copy protection is impossible to achieve with classical information alone, Aaronson [Aar09] proposed leveraging quantum information as a way to achieve provable copy protection.Despite significant research, constructions of copy protection remain elusive.Even defining copy protection is often quite subtle, with the right definition depending on the class of programs being copy protected.On the positive side, we know that copy protection can be achieved in either black-box models or for special classes of programs like pseudorandom functions and point functions [CMP20, AP21, ALL + 21, CLLZ21, AKL + 22].On the negative side, it is immediate that learnable programs cannot be copy protected [Aar09], and it is also known that there exist unlearnable programs that cannot be copy protected [AP21].Outside of these extremes, the landscape of copy protection remains poorly understood.For instance, our current understanding does not address copy protection for complex non-cryptographic software, e.g.video games.In general, the input/output behavior of a video game has almost no formal guarantees, so it seems difficult to achieve provable copy protection.This leads us to ask, When are non-cryptographic programs copy protectable?
A useful answer to this question should include conditions that can be heuristically verified in order to determine whether a given program is plausibly copy protectable.
Of course, even if a program can be copy protected, it is not in general clear how to copy-protect it.We would additionally like to know, Is there a principled strategy for copy-protecting programs in general?
In this work we introduce quantum state indistinguishability obfuscation (qsiO), which allows us to make progress on both of these questions.To address Question (2), we show that qsiO is optimal copy protection for every class of programs.Therefore, assuming qsiO exists, Question (1) reduces to determining which programs are actually copy protected by qsiO.We provide a partial answer to this question by showing that, roughly, copying a qsiO obfuscation is at least as hard as "filling in" the program on an input that has been redacted from the program description.
Quantum state indistinguishability obfuscation (qsiO).An obfuscator is an algorithm that takes as input a circuit C and outputs an "unintelligible" program C ′ with the same functionality as C [BGI + 01].
The most immediate generalization of this to the quantum setting is an obfuscator that takes as input a (classical description of) a quantum circuit Q and outputs a (classical description of) a functionally equivalent quantum circuit Q ′ .
However, in this work we will be interested in encoding functionalities (classical or quantum) in quantum states.In more detail, if Q is a quantum circuit and ρ is a quantum state, then we say that (Q, ρ) is a quantum implementation of a function f if Pr[Q(ρ, x) = f (x)] = 1 for all x in the domain of f .
Several prior works have studied the question of whether obfuscators that are allowed to output quantum implementations are more powerful than obfuscators that can only output classical information, i.e. whether they can obfuscate a larger class of functionalities [AF16, BK21, AP21, ABDS21, BM22, BKNY23].However, all of these works consider obfuscators with classical input (and only the output is possibly a quantum state).
In contrast, a quantum state indistinguishability obfuscator Obf takes as input a quantum implementation of some function f , and outputs another quantum implementation of f .We say that Obf is a quantum state indistinguishability obfuscator if, for any pair of quantum implementations (Q 1 , ρ 1 ) and (Q 2 , ρ 2 ) of the same function f , • For search puncturing, we require that no efficient adversary can compute from f x any output y such that Ver(f, x, y) = 1, for some efficient (public or private) verification procedure Ver.For example, if f is a signing function with a hard-coded secret key or a message authentication code, Ver(f, x, y) would use the verification key to check that y is a valid signature or authentication tag for x.In [BSW16] it was shown how to build search puncturable signing functions from indistinguishability obfuscation and one-way functions.
These results highlight some generic properties of programs that imply copy protectability, making progress on Question (1): if a program can be described on all but one input (i.e. it can be punctured), then in order to copy a qsiO obfuscation of the original program one must spend a comparable amount of work to that required to fill in the program's value at the missing point.
Techniques for the use of qsiO.One of the main contributions of this work is a technical toolkit for the use of qsiO.The reader familiar with classical indistinguishability obfuscation (iO) will recall that it is often used in conjunction with puncturing to obtain interesting applications.For qsiO, we identify unclonable encryption as the key primitive that, alongside puncturing, unlocks applications to copy protection.For qsiO, we identify unclonable encryption [BL20] as the key primitive that, alongside puncturing, unlocks applications to copy protection.Informally, unclonable encryption is a secret-key encryption scheme where ciphertexts are "unclonable".
As a key technical tool in our proof of (A), we introduce a new variant of unclonable encryption which we call coupled unclonable encryption.Whereas constructing (full-fledged) unclonable encryption in the standard model remains an important open problem, we are able to build our variant from one-way functions, 1 and we show that it suffices for (A).Given the notorious difficulty of building unclonable encryption in the standard model, we believe that our variant is of independent interest.
To further showcase our techniques, we show that assuming injective one-way functions and unclonable encryption, qsiO achieves a strong notion of copy protection for point functions which is beyond the reach of existing techniques.

Comparison to previous work
Two works are particularly related to ours: [ALL + 21], which also studies copy protection for general programs; and [CLLZ21], which considers provable copy protection for specific functionalities that are similar to some of the ones we consider here.
[ALL + 21] takes a very different approach than ours to copy protection for general programs.By moving to a black-box model, they are able to build copy protection for all unlearnable programs.However, it is known that there exist unlearnable programs that cannot be copy protected [AP21], so the black-box construction of [ALL + 21] does not address Question (1) about which programs could be copy protectable.In contrast, qsiO could plausibly exist in the standard model for all programs.Furthermore, we are able to identify specific properties that differentiate programs for which qsiO is copy protection.
While the black-box construction of [ALL + 21] does naturally suggest a heuristic copy protection scheme for arbitrary programs (by replacing black-box obfuscation with iO), there is no "best-possible" guarantee comparable to qsiO.There may exist programs that can be copy protected, and yet this heuristic construction nonetheless fails to copy-protect them.In order to address Question (1), [ALL + 21] give a non-black-box construction of copy detection for any watermarkable program, assuming public-key quantum money.They interpret this construction as evidence that copy protection might exist for watermarkable programs as well.
[CLLZ21] does not directly consider the problem of copy protection for general functionalities.Instead, one of the main results (under an information-theoretic conjecture that was later proven to be true in [CV22]) is that punturable pseudorandom functions can be copy protected using iO, assuming sub-exponentially-secure LWE.Compared to our provable copy protection results, the advantage of [CLLZ21] is that iO is much more well-studied than qsiO.2However, their result is limited to puncturable pseudorandom functions (and does not seem to extend further), while our results are applicable to a much broader class of puncturable functionalities.Additionally, our results do not rely on "structured" assumptions like LWE.

Technical overview
Definitions.Throughout this technical overview, we will fix a universal quantum evaluation circuit Eval.Instead of considering implementations as circuit-state pairs (C, ρ), we will assume that the description of C is included in ρ.Therefore we will view qsiO schemes as acting only on the quantum part, ρ.
As in the introduction, we say that ρ implements a function f if, for all x, Pr[Eval(ρ, x) = f (x)] = 1 (or is negligibly close to 1).An obfuscator Obf is a qsiO scheme if it satisfies: • (Correctness) if ρ implements f , then Obf(ρ) implements f , and We will write qsiO(ρ) to refer to a qsiO obfuscation of ρ.
Best-possible copy protection.With the definition of qsiO in hand, it is not difficult to prove that qsiO(f ) is best-possible copy protection for any functionality f .Here is a sketch of the argument; for a more complete treatment see Theorem 1.
Let F be any class of programs for which some copy protection scheme CP exists.That is, CP is an efficient quantum algorithm such that for f ∈ F , CP(f ) outputs a quantum state ρ such that Eval(ρ, x) = f (x) for all x ∈ Domain(f ), and there is some guarantee of "unclonability" on ρ.It turns out that Theorem 1 is not sensitive to the the precise definition of "unclonability" -whatever definition of unclonability is satisfied by CP, qsiO achieves the same guarantee.The key observation is that any adversary who wins the unclonability game for qsiO(f ) must necessarily win the unclonability game for qsiO(CP(f )) as well, or else it would break the qsiO security guarantee!Since we can efficiently apply qsiO to CP(f ) to prepare qsiO(CP(f )) ≈ qsiO(f ), it follows that qsiO(f ) is at least as secure as CP(f ).
Construction of qsiO relative to a quantum oracle Our construction of qsiO relative to a quantum oracle is simple, although the security proof is fairly involved.On input a quantum implementation ρ of some function f , qsiO samples a uniformly random Clifford unitary C and outputs the state ρ = CρC † , alongside an oracle implementing the unitary G C = C † EvalC, where Eval is a universal circuit.In other words, qsiO applies a Clifford one-time pad to the input state ρ; the oracle G C undoes the one-time pad, evaluates the function f , and then re-applies the one-time pad.
The "Clifford twirl" is sufficient to argue security against adversaries that make a single query, but a more careful argument is required to handle general adversaries.This argument makes use of the "admissible oracle lemma" from [GJMZ23].
Unclonable encryption.As is often the case with classical iO [SW21], we find that qsiO does not by itself yield the applications we are most interested in.Instead, we combine qsiO with one-way functions and variants of unclonable encryption to build copy protection.We describe some background and a new result on unclonable encryption before discussing copy protection.
Unclonable encryption (UE), formally introduced by Broadbent and Lord [BL20],3 can be viewed as an unclonable version of secret key encryption.A UE scheme consists of a generation algorithm that samples a classical secret key sk, an encryption algorithm Enc that outputs a quantum state, and a decryption algorithm Dec that outputs a message.The security guarantee says that, without the secret key, an adversary given Enc(sk; m) cannot prepare two states which can later be used to decrypt the message m (when provided the secret key sk).We require UE schemes to have semantic security -that is, the two states cannot both be used to learn non-negligible information about the message.Formally, a UE scheme (Enc, Dec) is secure if no efficient adversary can win the following security game with probability noticeably greater than 1/2: UE-Expt(λ): 1.The adversary sends the challenger a message m. 3. The adversary splits into two non-communicating parties A and B.
4. The challenger sends each of A and B the secret key sk.

5.
A outputs a bit a ′ and B outputs a bit b ′ .The adversary wins if The first provably secure construction of UE was proposed in [BL20], and it satisfied a "search-based" notion of security in the quantum random oracle model (QROM).Subsequent work [AKL + 22, AKL23] achieved the "decision" version of UE that we consider here, still in the QROM.We conjecture that UE for single-bit messages can be built (for general messages) in the standard model, assuming one-way functions.
One of the key insights of Broadbent and Lord [BL20] is to link the "search-based" notion of UE to the following "monogamy of entanglement" result from [TFKW13], which says that no (unbounded) adversary can win the following security game with probability noticeably greater than 0: Search-Expt(λ): 1.The challenger samples x, θ ← {0, 1} λ and sends x θ to the adversary.Here, |x θ is shorthand for H θ |x , where H θ denotes Hadamard gates applied to the qubits where the corresponding bit in θ is 1.
2. The adversary splits into two non-communicating parties A and B.
3. The challenger sends each of A and B the basis θ.

4.
A and B output strings x A , x B .The adversary wins if The reason that this result does not immediately yield UE (by using x as a one-time pad for the message) is that the adversaries are required to guess all of the message in Search-Expt, whereas the adversaries in UE-Expt are merely required to learn anything at all about the message.For instance, if the adversary simply passes the first half of the qubits of x θ to A and the second half to B, then both A and B can learn half of x.It is natural to attempt to evade this issue by using a randomness extractor.For a single-bit message m, we could use the following as a candidate unclonable encryption: where x, θ, u ← {0, 1} λ , and the dot product u • x is taken over F 2 .The secret key is sk = (θ, u), and the decryption algorithm simply reads x, computes u • x, and removes the one-time pad on m.
Intuitively, it would seem that an adversary needs to learn all of x in order to guess u • x.This is typically proven using the quantum Goldreich-Levin reduction [BV97,AC02].Given a single quantum query to a predictor that successfully guesses u • x with probability 1/2 + ε (over a random choice of u), the quantum Goldreich-Levin reduction produces a guess for the entire string x with probability poly(ε).Since an adversary that wins UE-Expt must have both parts A and B guess u • x correctly, we can run the quantum Goldreich-Levin reduction to show that each of A and B has at least a poly(ε) probability of guessing x.However, there is no guarantee that they guess x correctly simultaneously, so this reduction might never win Search-Expt!
We do not know how to prove that the candidate UE scheme of Equation ( 2) is secure.Instead, we relax the requirement of UE so that a similar reduction works.This results in a variant of UE that we call coupled unclonable encryption (cUE).In cUE, a ciphertext encrypts two messages under two independent secret keys.Each secret key alone works to decrypt the corresponding message.In the security game, A receives one secret key, and B receives the other.Our cUE encryption scheme for single-bit messages m A , m B is: where x, θ, u, v ← {0, 1} λ .The secret keys are sk A = (θ, u) and sk B = (θ, v).Now that u and v are independent, it is possible to prove that the above reduction works.Indeed, as we were working on this manuscript, similar "simultaneous" Goldreich-Levin theorems were proven in [KT23,AKL23].However, both of these works leave open the question of running a similar reduction for many-bit messages.Specifically, in [KT23], the authors ask whether one can use many inner products to encrypt many bits, noting that their techniques do not extend to this setting.We answer this question in the affirmative in Section 3.1, by carrying out a version of a "hybrid argument" on quantum operators.
This result is crucial for our copy protection applications, which require cUE for many-bit messages.Formally, the security guarantee of cUE states that an adversary cannot win the following game with probability noticeably greater than 1/2: cUE-Expt(λ): 1.The adversary sends the challenger two messages m A , m B .
2. The challenger samples two challenge bits a, b ← {0, 1}, two secret keys sk A , sk B ← {0, 1} λ , and two random messages r A , r B of the same lengths as m A , m B , respectively.For general (many-bit) messages m A , m B , our cUE encryptions are essentially

Let m
where U, V are wide F 2 matrices of appropriate dimensions, U x, V x denote matrix-vector products, and PRG is any pseudorandom generator with appropriate stretch.Since the lengths of U x and V x are fixed as a function of λ, but the adversary can choose m A , m B of whatever length it wishes, we need to use pseudorandom generators to potentially stretch U x and V x to the proper lengths.
We divide the proof of security for Equation (4) into two steps.First, in Section 3.1 we show that one of U x and V x is completely unpredictable to the corresponding pirate; we call this property unclonable randomness.This is the core of the cUE proof and perhaps the most technical part of this work, requiring a new and delicate argument that resolves the aforementioned open question of [KT23].In Section 3.2, we invoke the security of the PRG to see that the cUE scheme is secure.Thus, assuming only the existence of one-way functions, there exists a cUE scheme that encrypts messages of arbitrary polynomial length.
In Section 4.2, we show that cUE suffices to show that qsiO copy-protects puncturable programs with indistinguishability at the punctured point.
Remark 1.In [AKL + 22], the authors discuss "issues with using extractors."The proposal for UE in Equation (2) falls within the category of extractor-based schemes that they are referring to, so the issues with natural proof techniques discussed there apply.However, the security of the UE scheme described above is not ruled out by their impossibility result (Theorem 1.3).Furthermore, our constructions of single-bit and general cUE in Equations (3) and (4) are also extractor-based schemes in a similar sense, and we are nonetheless able to prove them secure.Therefore, we hope that our insights for constructing cUE may eventually be useful for constructing UE, as they may evade some of the barriers discussed in [AKL + 22].
Finally, we show that one can generically add a functionality that we call key testing to any UE or cUE scheme, using qsiO and injective one-way functions.Key testing means that there is an algorithm Test which determines whether a given string z is a valid key for a given encryption σ.Key testing turns out to be crucial for our proofs of copy protection from qsiO.The main idea to upgrade a UE or cUE scheme to one with key testing is to append to the ciphertext a qsiO obfuscation of the program δ sk (which is zero everywhere except at sk).Intuitively, this allows one to check the validity of a secret key, while at the same time preserving unclonability thanks to the properties of qsiO.
Copy protection for PRFs.Armed with cUE, we can apply qsiO to achieve copy protection for certain classes of functions.For the purposes of the technical overview, we will only describe how qsiO copy-protects pseudo-random functions (PRFs).This description highlights some of the main ideas behind our proof technique for the more general results of Section 4. The basic idea of the proof technique is to use the qsiO guarantee to replace the PRF with a punctured version, where the values of the PRF at the challenge points are hard coded under a cUE encryption.
We explain this more precisely.Suppose that F λ is a family of puncturable PRFs with domain {0, 1} λ and range {0, 1} n(λ) .It was shown in [SW21] that puncturable PRFs can be built from any one-way function.
We will prove that qsiO is a secure copy protection scheme for F λ via a sequence of hybrids, beginning with the PRF copy protection security game: CP-Expt-PRF(λ): The challenger sends the adversary qsiO(f ).In other words, in this security game, the parties A and B are trying to decide whether they received a pair (x, y) where y = f (x) or where y is uniformly random.

The adversary splits into two non-communicating parties
Let f xA,xB be f punctured at x A , x B , let Enc be a cUE scheme with key testing, and let Our first hybrid uses the qsiO guarantee to replace qsiO(f ) with qsiO(P [f xA,xB , σ]), where P [f xA,xB , σ] is a program (formally a quantum implementation of a program) that does the following on input z: 1. Use key testing to check whether z is a valid key for σ.If not, terminate and output f xA,xB (z).
2. Otherwise, use z to decrypt σ and output the result. Since Now, the pseudorandomness of f at the punctured points implies that where ỹ1 A , ỹ1 B are random strings from the range of f .Therefore, the adversary's success probability is again preserved if we replace f (x A ), f (x B ) with ỹ1 A , ỹ1 B in Hybrid 1 (λ).We also rename y 0 A , y 0 B (introduced in step 1 of the original experiment) to ỹ0 A , ỹ0 B for convenience of notation.Then, Hybrid 2 (λ) is the following.Hybrid 2 (λ):

The challenger prepares σ = Enc(x A , x B ; ỹ1
A , ỹ1 B ) and sends the adversary qsiO(P [f xA,xB , σ]). 3. The adversary splits into two non-communicating parties A and B.

The challenger sends x A , ỹa
A to A and x B , ỹb B to B. 5. A outputs a bit a ′ and B outputs a bit b ′ .The adversary wins if a ′ = a and b ′ = b.
Our last hybrid, Hybrid 3 (λ), will be the same as Hybrid 2 (λ) except that the challenger sends the adversary qsiO(P [f, σ]) instead of qsiO(P [f xA,xB , σ]) in step 2. The adversary's success probability is negligibly close between Hybrid 2 (λ) and Hybrid 3 (λ) because P [f, σ] and P [f xA,xB , σ] are functionally equivalent, and so Finally, notice that Hybrid 3 (λ) is now quite close to the cUE experiment cUE-Expt(λ)!It's not difficult to see that there is a direct reduction from cUE-Expt(λ) to Hybrid 3 (λ), because qsiO(P [f, σ]) can be generated from σ by sampling f ← F λ .

Preliminaries
We introduce some notation that we will use throughout the paper.
We denote a quantum polynomial-time algorithm with the acronym QPT.Formally, this is a polynomial-time uniform family of quantum circuits, where each circuit in the family is specified by a sequence of unitary operations and measurements.A quantum algorithm may in general receive (mixed) quantum states as inputs and produce (mixed) quantum states as outputs.We denote by δ S the indicator function for a set S, with δ S (x) = 1 if x ∈ S and δ S (x) = 0 otherwise.For a point s, it is understood that δ s := δ {s} .
For a string x ∈ {0, 1} n , we use |x| = n to denote the length of the string.By default, all operations on bitstrings are assumed to be performed over F 2 .

Acknowledgements
This material is based upon work supported by the U.S. Department of Energy, Office of Science, National Quantum Information Science Research Centers, Quantum Systems Accelerator.

Quantum State Indistinguishability Obfuscation (qsiO)
In this section, we define quantum state indistinguishability obfuscation (qsiO).We show that qsiO achieves "best-possible" copy protection, and we describe a construction of qsiO relative to a quantum oracle.

Definitions
We start by defining a "quantum implementation" of a classical function.
For a quantum implementation (ρ, C), we refer to its size as the maximum between the number of qubits of ρ and the number of gates of the circuit C. We now define qsiO.
A quantum state indistinguishability obfuscator for {Q λ } λ∈N is a QPT algorithm qsiO that takes as input a security parameter 1 λ , a quantum implementation (ρ, C) ∈ Q λ , and outputs a pair (ρ ′ , C ′ ).Additionally, qsiO should satisfy the following.
• (Correctness) There exists a negligible function negl ′ such that, for any • (Security) For any QPT distinguisher D, there exists a negligible function negl ′′ such that the following holds.For all λ and all pairs of (1 In this paper, we will make use of qsiO for all polynomial-size quantum implementations.That is, we will assume the existence of qsiO for {Q λ } λ∈N , where Q λ is the set of (1 − negl(λ))-quantum implementations of size at most λ, for some negligible function negl.
For ease of notation, we will often omit writing 1 λ as an input to qsiO.We will sometimes apply qsiO to a circuit C without auxiliary quantum input, or to a classical circuit C. In this case, we simply write qsiO(C).
If the circuit C is classical we sometimes identify it with the function f that it is computing, and simply write qsiO(f ).

Best-possible copy protection
It is not hard to see that qsiO, as defined in the previous section, achieves best-possible copy protection.In this section, we state a definition of copy protection that is quite general, and encompasses all the variants that we will later consider in Section 4.
Definition 3 (Copy protection, correctness).Let F = {F λ } λ∈N be a family of classical circuits.A QPT algorithm CP is a copy protection scheme for F if the following holds, for some negligible function negl: • CP takes as input a security parameter 1 λ and a circuit f ∈ F λ , and outputs a The definition of security below is stated in terms of a circuit Ver that the challenger runs on each half of a state received from the adversary (the "pirate").Some readers may be more familiar with a security game where the challenger samples a pair of inputs to the copy-protected function f , and expects two parties Alice and Bob to return the value of f at those inputs.The security game in Figure 1 subsumes such a security game (by taking Ver(f, A) to be the circuit that first samples an input x to f , and then runs "Alice's circuit" A x on the input state).We elect to keep the definition general here, so as not to limit the applicability of our "best-possible copy protection" result (Theorem 1).Later, when we discuss copy protection of concrete functionalities in Section 4, we opt for a more explicit description of the security game.
Definition 4 (Copy protection, security).Let F = {F λ } λ∈N be a family of classical circuits.Let CP be a copy protection scheme for F .
Let Ver = {Ver λ } λ∈N be a uniform family of polynomial-size quantum circuits, where Ver λ takes as input a function f ∈ F λ , a family of poly(λ)-size quantum circuits {Q x } x∈Domain(f ) , and a quantum state, and outputs a single bit.Let δ : We say that CP is (Ver, δ)-secure if, for all QPT algorithms Adv, there exists a negligible function negl such that, for all λ, where CP-Expt CP,Adv,Ver is defined in Figure 1. 5 For a function f ∈ F λ and a family of circuits Q, we use the notation Ver(f, Q) := Ver(f, Q, •) (so Ver(f, Q) denotes a quantum circuit that takes as input a state and outputs a single bit).
Challenger Adversary Output 1 if both outcomes are 1 Theorem 1 ("Best-possible" copy protection).Let F = {F λ } λ∈N be a family of classical circuits.Suppose there exists a copy protection scheme for F = {F λ } λ∈N that is (Ver, δ)-secure (for some Ver, and δ as in Definition 4).Let qsiO be a secure quantum state indistinguishability obfuscator for F .Then, qsiO is a (Ver, δ)-secure copy protection scheme for F .
Proof.Let CP be the (Ver, δ)-secure copy protection scheme for F that exists by hypothesis.Let Adv be any efficient adversary for CP-Expt.Since the challenger in CP-Expt is also efficient, we have by the security guarantee of qsiO, that there exists a negligible function negl such that, for all λ, Consider a reduction Red [Adv] for CP-Expt that simply applies qsiO before forwarding σ to Adv, and then forwards the response from Adv to the challenger.Formally, Red is defined by the following behavior in CP-Expt.
3. Adv sends (A, B, ρ A B ) to Red, which forwards this to the challenger.
4. The challenger then runs Ver λ (f, A) ⊗ Ver λ (f, B) ρ A,B and outputs 1 if both outcomes are 1.

By construction,
Finally, the assumption that CP is a (Ver, δ)-secure copy protection scheme for F implies that Combining Equations ( 5), (6), and ( 7) gives the result.
Remark 2. In this work we only consider qsiO for quantum implementations of deterministic functions.It would be interesting to explore an extended definition that allows for quantum implementations of randomized functions.It is plausible that a proper formalization would yield best-possible one time programs in a similar way to Theorem 1.

Constructing qsiO
In this section, we give a construction Obf of qsiO relative to a quantum oracle.Before describing it formally, we give an informal description: • Obf takes as input a quantum implementation (ρ, Eval) of some function f , where Eval is assumed to be a universal evaluation circuit without loss of generality.
• Obf samples a uniformly random Clifford unitary C and outputs the state ρ = CρC † , alongside an oracle implementing the unitary G C = CEvalC † (where Eval here refers to the unitary part of the evaluation circuit).
In other words, qsiO applies a Clifford one-time pad to "hide" the input state ρ; the oracle G C undoes the one-time pad, evaluates the function f , and then re-applies the one-time pad.This allows a user to evaluate f , while intuitively keeping the state ρ hidden at all times.
The main tool in our proof is the "Clifford twirl" [ABOEM17], which would already suffice if the adversary were only allowed to make a single query to G C .However, the adversary can make any polynomial number of queries, so a more careful argument is required.Our argument additionally makes use of a recentlyintroduced tool called the "admissible oracle lemma" [GJMZ23], which allows us to reduce the security of the many-query game to the security of the one-query game.
Construction 1. Obf takes as input a quantum implementation (ρ, Eval) of some function f , where ρ is a state on a register A. We assume without loss of generality that the circuit Eval consists of a unitary on A as well as an input register X and an output register Y, followed by a measurement of register Y.For ease of notation, we will identify the algorithm Eval (which includes a measurement) with its unitary part when it is clear from the context.We assume without loss of generality that the unitary Eval uncomputes all of its intermediate steps, leaving the result on Y.
• Let G C be the unitary acting on registers A, X , Y defined as • Let Ũ GC be the quantum circuit, with oracle access to G C , that behaves as follows: On input ρ, run measure register Y and output the outcome.
• Output (ρ, Ũ GC ) (since this is an oracle construction, what we mean is that the algorithm Obf outputs the description of the oracle algorithm Ũ , and the oracle G C is publicly available).
We show that Construction 1 is qsiO in a model where the adversary has access to the oracle G C .
Proof.We prove security via three hybrids.The first hybrid corresponds to the original qsiO security game.
The second corresponds to a "purified" version of the qsiO game, which is easily seen to be equivalent to the original.The third hybrid is identical to the second, except that the adversary has access to a different oracle: This new oracle does not evaluate the function unless the register containing C is in uniform superposition.
Finally, we show that the distinguishing advantage in the third hybrid is zero by invoking the "admissible oracle lemma" of [GJMZ23].
Hybrid 1 : The original qsiO security game.
Hybrid 2 : A "purified" version of the qsiO game.Let (|ψ 1 , U 1 ) and (|ψ 2 , U 2 ) be two quantum implementations of the same classical functionality f : {0, 1} lin → {0, 1} lout , where |ψ 1 and |ψ 2 are states on some register B 1 , and U 1 , U 2 are unitaries on B 1 and some other register R. For the rest of the proof we assume, for simplicity and without loss of generality, that the unitaries U 1 and U 2 are equal to a fixed universal unitary Eval B1,R .
Let A, B 1 , B 2 , R be registers, and let Π ′ be the subspace spanned by all the states of the form where C is any Clifford unitary on register B := B 1 B 2 , |ψ is any state on B 1 , and (x, y) ∈ {0, 1} lin ×{0, 1} lout .
The unitary G ′ acts as identity on the orthogonal complement of Π ′ , and as follows on Π ′ : In the rest of the section, when it is clear from the context, we omit writing tensor products with identities, e.g.we write The game is as follows: 1.The challenger samples b ← {0, 1}.Then, it creates the state 2. The adversary receives register B from the challenger, as well as query access to the oracle G (where the adversary controls R).The adversary returns a guess b ′ ∈ {0, 1}.
The adversary wins if b ′ = b.
Hybrid 3 : Identical to Hybrid 2, except the adversary has access to a different oracle G defined as follows.
• Let Π be the subspace spanned by all the states of the form where |ψ is any state on B 1 and (x, y) ∈ {0, 1} lin × {0, 1} lout .The unitary G acts as identity on the orthogonal complement of Π, and as follows on Π: We first show that the adversary's advantage in Hybrid 1 and Hybrid 2 is identical.Proof.This is immediate since Hybrid 2 is just a purification of Hybrid 1. Proof.
Then, notice that we can write G ′ (from Hybrid 2) as

and define
Let A be an adversary for Hybrid 2 and 3. Recall that Hybrids 2 and 3 are identical except that the oracle is G ′ in Hybrid 2 and G in Hybrid 3. Recall that the challenger initializes registers A, B in the state for some b ∈ {0, 1} Then A then receives register B. Let R denote the register where Eval writes its output, and let Z denote an additional work register used by A (which includes an output register).Let q be the number of queries to the oracle (G ′ or G) made by A. Without loss of generality, for some unitary U on B R Z, we have that A applies the sequence of unitaries (G ′ U ) q in Hybrid 2, and (GU ) q in Hybrid 3.
We will prove Lemma 5, which implies that A's success probability in Hybrids 2 and 3 is negligibly close, as long as q = poly(λ).This will complete the proof of Lemma 4.
Lemma 5. Let |Ψ 0 A B be as defined in (12) (note that this state depends on λ).Let |φ RZ be any state, and U any unitary (both of which implicitly depend on λ), and let q ∈ N.Then, for all λ, Proof.For convenience, we use the following notation throughout this proof: for ǫ > 0 and states |u and |v , we write |u ≡ ǫ |v as a shorthand for |u − |v ≤ ǫ.Let m be the number of qubits in register B 1 .We prove Lemma 5 by induction on the number of queries.Precisely, we show that, for all i ∈ {0, . . ., q}: (i) There exist unnormalized states |φ x,z RZ for x, z ∈ {0, 1} m+λ such that, for all λ, Clearly, both (i) and (ii) hold for i = 0. Now, suppose (i) and (ii) hold for some i.We show that they both hold also for i + 1.By the inductive hypothesis, we have for some unnormalized states |φ x,y RZ for x, z ∈ {0, 1} m+λ .Then, we have By expanding the B register in the Pauli basis, we can write U = x,y∈{0,1} m+λ X x Z z ⊗ U xz for some operators U xz .Then, plugging this into (14) we get for some unnormalized states | φx,z .We will show that the second summand in the last expression has exponentially small weight on states such that the state on register B 2 is |0 λ .Precisely, we will show that We will prove (16) at the end.Now, recall that a Clifford operator is uniquely specified by the fact that it maps Pauli operators to Pauli operators when acting by conjugation.For C ∈ C and x, z ∈ {0, 1} m+λ , let π X C (x, z) ∈ {0, 1} λ be defined such that for some x1 ∈ {0, 1} m , z ∈ {0, 1} m+λ .In other words, π X C (x, z) corresponds to the last λ bits of the Pauli X string obtained by conjugating X x Z z by C.
Notice that, by definition of Eval, for some other state | φ0,0 .So, plugging this into (19), gives Applying W C to both sides, we get, by the unitarity of W C and using its definition, which establishes item (i) of the inductive step.Next, we establish item (ii).From (19), we know that Then, we have RHS of (21 where ( 22) follows from the definition of |τ ; (23) from the definition of Eval 2 ; and (24) follows from the identical reasons as (18).
Overall, this gives, by a triangle inequality, Hence, we have where (26) is due to (10); ( 27) is due to (25); ( 28) is due to (11); and (29) is by the inductive hypothesis.Overall, by a triangle inequality, we have This establishes exactly item (ii) of the inductive hypothesis, and hence Lemma 5 (assuming Equation ( 16)).
To conclude the proof of Lemma 5, we are left with proving Equation ( 16).We will make use of the "Clifford twirl." Lemma 6 (Clifford twirl [ABOEM17]).Let n ∈ N. Let |Ψ be any state on n qubits.Let x, z, x ′ , z ′ ∈ {0, 1} n such that (x, z) = (x ′ , z ′ ).Let C be the Clifford group on n qubits.Then, We have where (30) follows from the Clifford twirl (Lemma 6), and (31) follows from the fact that for any (x, z) = (0 m+λ , 0 m+λ ), the fraction of C ∈ C such that π X C (x, z) = 0 λ is exactly 2 −λ .We claim that Assuming this is the case, we have as desired.We now prove the claim.The calculation is similar to the we just performed.We have where the last line follows again by the Clifford twirl.This concludes the proof of Lemma 5.
Lemma 7.For any adversary A for Hybrid 3, The proof of Lemma 7 is a simple application of the "admissible oracle lemma" from [GJMZ23].In fact it is a very special case of that lemma, where the adversary has unbounded computation and the indistinguishability is perfect.We state this simple case of the admissible oracle lemma before presenting our proof of Lemma 7.
Definition 5 ((W, Π)-distinguishing game, [GJMZ23]).Let (A, B) be two quantum registers.Let W be a binary observable and Π be a projector on (A, B) such that Π commutes with W . Consider the following distinguishing game: 1.The adversary sends a quantum state on registers (A, B) to the challenger.Lemma 8 (Admissible oracle lemma -special case [GJMZ23]).Suppose that every adversary achieves zero advantage in the (W, Π)-distinguishing game.Let G be an admissible unitary, i.e., • G commutes with both W and Π, and Then every adversary achieves zero advantage in the (W, Π)-distinguishing game, even when given oracle access to G.
Proof of Lemma 7. We apply Lemma 8 with the following choices of Π, W, G: • Π is the projection on A, B to all states of the form • G is the unitary that acts as Eval on the range of Π, and acts as the identity on the range of I − Π.
It is immediate from the fact that the Clifford group is a unitary 1-design that the (W, Π)-distinguishing game has perfect security.It is also easy to see that G is an admissible oracle for (W, Π).Therefore, Lemma 8 implies that no adversary can obtain any advantage for distinguishing between the B registers of | ψ0 and | ψ1 , even given oracle access to G.
This completes the proof of Theorem 2.

Unclonable Encryption
In this section we introduce a variant of unclonable encryption (UE) that we call coupled unclonable encryption (cUE).Coupled unclonable encryption is a weaker primitive than UE, in the sense that any secure UE scheme can be used to build a secure cUE scheme.It closely resembles UE, the main difference being that in cUE there are two encryption keys that decrypt two messages.The main result of this section is that, unlike UE -which we do not know how to construct from standard assumptions -we can build cUE from one-way functions.The main technical ideas behind our construction are presented in Section 3.1, and the cUE construction and proof of security are given in Section 3.2.
Beyond being interesting in its own right, we will show in Section 4 that, in conjunction with qsiO, cUE is already sufficient to build copy protection for certain interesting classes of functions.In order to obtain these applications, we will need an additional feature of UE or cUE that we call key testing.This feature is described in Section 3.3, where we also show that key testing can be generically added to any UE or cUE scheme using qsiO and injective one-way functions.
For an outline of the ideas and techniques used in this section, see the technical overview (Section 1.3).

Unclonable randomness
We find it is easier to reason about a slightly weaker primitive than cUE, which we call "unclonable randomness."Essentially, unclonable randomness is cUE but for random messages that the adversary does not choose: it allows one to encrypt random strings r, s under a secret key.The security guarantee says that it is not possible to split the encryption into two states which can both be used (together with the secret key) to learn any information about r and s.
Since we are able to build unclonable randomness unconditionally, and since it is just a building block for our cUE construction, we only formally define it for our particular construction (rather than as an abstract primitive).The security game for our unclonable randomness construction is given in Figure 2, and security is proven in Theorem 9.This result can be viewed as a decision version of the main result of [TFKW13].
Theorem 9.For any computationally unbounded adversary Adv, and any n, λ ∈ N, where Rand-Expt Adv (n, λ) is described in Figure 2.
In particular, when n = poly(λ), the advantage is negligible in λ.
Challenger Adversary We prove Theorem 9 by reduction from a search version of the same game, defined in Figure 3.That this search version is secure follows straightforwardly from the results of [TFKW13], and is proven in Corollary 11.
Challenger Adversary The n = 0 case is exactly the monogamy-of-entanglement game considered in [TFKW13].Observe that when n = 0, U and V are empty and the first message is simply |x θ .When n > 0, the adversary is given some extra information about x.
Theorem 10 (Theorem 3 in [TFKW13]).For λ ∈ N and any computationally unbounded adversary Adv, In the following corollary of Theorem 10, we show that the general Search-Expt reduces to the n = 0 case of Search-Expt.
Corollary 11.For n, λ ∈ N and any computationally unbounded adversary Adv, Proof.Suppose that Adv obtains advantage ε in Search-Expt Adv (n, λ).We design a reduction Red[Adv, n, λ] that uses Adv to play Search-Expt(0, 10n + λ) by simply guessing the values U x and V x.Formally, Red is defined by the following behavior in Search-Expt(0, 10n + λ).

The challenger obtains x
The probability that Red samples U, V, r, s such that U x = r and V x = s is 2 −2n , and conditioned on this event the view of the adversary in Search-Expt(n, λ) is exactly reproduced.Therefore, Red has advantage ε/2 2n in Search-Expt(0, 10n + λ).By Theorem 10, we have In order to reduce the security of Rand-Expt to that of Search-Expt, and prove Theorem 9, we require two lemmas.
Lemma 12. Let {|ψ z } z∈Z be a family of states and {P z , Q z } z∈Z be a family of operators.Suppose that Proof.Let { φ i z } i and { τ j z } j be eigenbases for P z and Q z , respectively.Then we can write and letting α z denote the distribution over (i, j) with probabilities α i,j z 2 we have By an averaging argument, it follows that Pr z←Z (i,j)←αz A central component in our proof of Theorem 9 is the quantum Goldreich-Levin reduction of [BV97,AC02].We recall that algorithm here.Let {A u } u∈{0,1} n be a collection of binary-outcome measurements and let |ψ be a state.
2. Apply u∈{0,1} n |u u| ⊗ A u ph , where A u ph is the phase oracle for A u -i.e., A u ph applies a phase of (−1) to the subspace where A u = 1 and acts as identity on the subspace where A u .
3. Measure the |u register in the Hadamard basis, and output the result.
Lemma 13 (Simultaneous quantum Goldreich-Levin computation).Let {A u } u∈{0,1} n and {B v } v∈{0,1} n be collections of binary-outcome measurements that act on disjoint registers A and B. Let |ψ be a state on A, B. Then the probability that where Π x,u A and Π x,u B are the projections onto the subspaces where A and B output u We then apply our controlled phase oracles to get the state where we have used the fact that (and similarly for B v ph ).Next we apply Hadamard gates to the |u, v part, project onto |x, x x, x|, and take the norm squared to find the probability that both GL({A u } u∈{0,1} n ) and GL({B v } v∈{0,1} n ) output x.That quantity is Proof of Theorem 9.As anticipated, we reduce the security of Rand-Expt to that of Search-Expt (Figure 3), which we established in Corollary 11.The first step of the proof is to rewrite Search-Expt in an equivalent form.
Observe that the challenger in Search-Expt could sample the vectors corresponding to U x, V x before actually deciding on the matrices U, V , and the security game would be identical.That is, the challenger will sample random vectors r, s ← {0, 1} n and send |x θ , r, s to the adversary in the first step.Later, in order to run Ã, B, it will just sample random matrices U, V conditioned on U x = r and V x = s.
Before we give a formal description of this equivalent game, we define distributions that will be useful throughout the proof.For i ∈ [n], x ∈ {0, 1} 10n+λ , and r ∈ {0, 1} n , let D i (x, r) be the distribution over matrices U ∈ {0, 1} n×(10n+λ) where row j ∈ [n] is sampled as That is, U ← D i (x, r) is a random matrix conditioned on the first i values of U x being equal to the first i values of r.Now our equivalent formulation of Search-Expt is as follows.Without loss of generality we assume that the state ρ A,B is a pure state |ψ x,θ,r,s .
Search-Expt Adv (n, λ): Note that the first message is the same in both Search-Expt and Rand-Expt, and the challenge bits a, b in Rand-Expt are sampled independently from the first message.Given an adversary Adv for Rand-Expt Adv (n, λ), we define an adversary Red [Adv] for Search-Expt.The latter uses the [BV97, AC02] reduction where the adversaries guess random bits of r, s.
2. Adv outputs a state |ψ x,θ,r,s and descriptions of binary-outcome measurement families A, B.
4. The challenger samples U ← D n (x, r), V ← D n (x, s) and measures Ãθ,U and Bθ,V on |ψ x,θ,r,s , obtaining outcomes x A and x B .The reduction wins if Suppose that In Rand-Expt, we denote the projections onto outcomes a and b by A a and B b , respectively.Then, By Lemma 12, we have Next we use a sort of "hybrid argument" to relate the operators in the two games: The above holds identically for the B part.We are now ready to bound the probability that our reduction wins Search-Expt.We begin by applying Lemma 13: where the last line is because 2 − 1 , and similarly for the B term.Finally, we have where the first inequality is by convexity.By Corollary 11, this quantity is at most

Coupled unclonable encryption
In this subsection, we introduce coupled unclonable encryption (cUE).It is similar to UE, except that it involves the simultaneous encryption of two messages m A and m B under two secret keys sk A and sk B .Informally, security for cUE says that when a pirate processes the ciphertext into two parts, one given to Alice and the other to Bob, then after receiving sk A and sk B it is not possible for both of Alice and Bob to simultaneously recover any information about their respective messages m A and m B .While cUE is weaker than UE, we are able to make use of it in Section 4 as a central primitive in our proofs that qsiO copy-protects puncturable programs.
Let {PRG λ } λ∈N be a family of pseudo-random generators with 1 bit of stretch.For n > λ, define PRG λ,n :  Theorem 9 about unclonable randomness gets us most of the way towards building cUE.The natural approach to construct cUE is to use the unclonable randomness as a one-time pad for the adversary's chosen message.However, there are two small technical issues.First, in cUE the keys sk A and sk B must be sampled independently, but the keys (θ, U ) and (θ, V ) in the unclonable randomness game cannot be sampled independently because they both contain θ.Second, the length of the message is determined by the adversary in the cUE game, whereas unclonable randomness has a fixed-length message as a function of λ.Therefore, our cUE scheme is slightly more complex than our unclonable randomness scheme, and additionally uses a pseudorandom generator.
We note that the matrix T in Construction 2 just serves to make the keys sk A , sk B independent.If we were satisfied with the keys being partly identical (on θ) and partly independent (on U, V ), then we would not need T .

Sample
Proof.We reduce security of Construction 2 to security of unclonable randomness (recall that the latter is defined via Rand-Expt from Figure 2).Let Adv be an efficient adversary for the security experiment cUE-Expt for cUE, and let λ be a security parameter.Let λ ′ be the largest integer such that 11(λ ′ ) 2 + 11λ ′ + 1 ≤ λ.
2. The challenger sends |x θ , r a , s b to Red.The view of Adv and A, B in Rand-Expt Red [Adv] (λ ′ , λ ′ ) is computationally indistinguishable from that in cUE-Expt Enc,Adv (λ) by security of the PRG.Therefore,

Red samples messages
where we have invoked Theorem 9 for the second inequality.
A direct inspection of the proof of Theorem 14 gives the following.
Corollary 15. cUE exists unconditionally, for messages of fixed length.
Proof.The construction is identical to Construction 2, except that U x and V x are used directly as one-time pads, without first applying a PRG.Since the messages are of fixed length, one can sample U and V of the appropriate size.The security reduction is analogous to that for Theorem 14.

Key testing
For our applications it will be important that our UE and cUE schemes have an additional property that we call key testing.This states that there should exist an efficient algorithm Test that determines whether a given secret key is "correct" for a given encryption.
• (Security) For all polynomial-time adversaries Adv, We can add key testing to any (coupled) unclonable encryption scheme using qsiO and injective one-way functions.The same construction and proof also work with classical indistinguishability obfuscation in place of qsiO, but we only state the result for qsiO because all of our applications use it. 7The main idea to upgrade a UE or cUE scheme to one with key testing is to append to the ciphertext a qsiO obfuscation of the program δ sk (which is zero everywhere except at sk).Intuitively, this allows one to test the validity of a secret key, while at the same time preserving unclonability thanks to the properties of qsiO.
Theorem 16.If injective one-way functions and qsiO exist, then any UE or cUE scheme can be compiled into one with key testing.
Proof.For simplicity we only describe the compiler and proof for UE.The compiler for cUE is analogous.
Let (Enc, Dec) be a UE scheme.We build a UE scheme with key testing (Enc ′ , Dec ′ , Test) as follows: where Eval is a universal quantum evaluation circuit, A ← F λ×3λ 2 is a random matrix sampled by Enc ′ , and the secret key sk = s is interpreted as a vector in F 3λ 2 .Correctness and key testing are clear from the construction, so we turn to proving UE security.

Copy Protection
In Section 2, we showed that qsiO is "'best-possible" copy protection, and thus provides a principled heuristic for copy-protecting any functionality.In this section, our goal is to investigate which functionalities are provably copy protected by qsiO.We consider copy protection for three classes of functions, each with slightly different copy protection guarantees.All three security games begin with the challenger sending the adversary a quantum state that represents some copy-protected functionality; the adversary then applies some quantum channel to the received state, and creates a new state on two registers.The three security games differ from this point on: 1.In decision copy protection, each part of the adversary is given a uniformly random challenge input x, along with either (a) f (x), or (b) f (x ′ ) for a fresh random x ′ .The task is for both parts to correctly guess which case they are in.
2. In search copy protection, each part of the adversary is given a uniformly random input x, and asked to produce y satisfying some condition Ver(x, y).
3. In copy protection for point functions, each part of the adversary is given both the marked input and a uniformly random input.The task is for both parts to correctly guess which one is the marked input.
Whereas point functions are a particular class of functions, the notions of decision and search copy protection are applicable to many classes of functions.We show that the classes of "decision puncturable" and "search puncturable" programs can be decision copy protected and search copy protected, respectively.Roughly, a decision puncturable program does not reveal any information about the function value at the punctured point; a search puncturable program may reveal some information, but an efficient adversary cannot compute from it any output that passes some (public or private) verification procedure at the punctured point.We define these notions of puncturable programs precisely in Section 4.1.
Informally, our main results of this section are: 1. Assuming injective OWFs, qsiO decision-copy-protects any decision-puncturable program.
Remark 4. For clarity of presentation we assume throughout this section that all challenge input distributions in the copy protection security games are uniform.These results can be generalized to arbitrary distributions with high min-entropy using a randomness extractor.

Puncturable programs
A puncturing procedure for a class of programs F is an efficient algorithm Puncture that takes as input a description of a program f ∈ F and polynomially-many points x 1 , . . ., x t ∈ Domain(f ), and outputs the description of a new program f x1,...,xt .This program should satisfy f x1,...,xt (z) = f (z) for all z ∈ Domain(f ) \ {x 1 , . . ., x t } as well as an additional security property: • For decision puncturing, we require (f x , f (x)) ≈ (f x , f (x ′ )) for a random x ′ .For instance, in [SW21] it was shown that one-way functions imply the existence of decision puncturable pseudo-random functions.
• For search puncturing, we require that no efficient adversary can compute, given f x , an output y such that Ver(f, x, y) = 1, for some efficient (public or private) verification procedure Ver.For example, if f is a signing function with a hard-coded secret key or a message authentication code, Ver(f, x, y) would use the verification key to check that y is a valid signature or authentication tag for x.In [BSW16], puncturable signatures were constructed from injective one-way functions and (classical) indistinguishability obfuscation.
• For every QPT adversary (Adv 1 , Adv 2 ) such that Adv 1 (1 λ ) outputs a set S ⊆ {0, 1} n(λ) and a state σ, if f ← F λ , f S ← Puncture(f, S), and Ŝ ⊆ {0, 1} n(λ) is a uniformly random set of the same size as S, We only require search puncturable programs to be puncturable at a single point, because this definition suffices for our applications.This is also the definition given in [BSW16].

Decision copy protection
All of the copy protection variants that we define in Section 4 have the same correctness definition (Definition 3).They only differ in their definition of security.
We now describe a reduction Red that plays UE-Expt using an adversary for the point function copy-protection game.We use a slight variant of UE-Expt where the challenger encrypts a random bit, which is equivalent to the game presented in Figure 4 in the case of single bit messages.

2 .
The challenger samples a challenge bit c ← {0, 1} and a secret key sk ← {0, 1} λ .(a) If c = 0, the challenger samples a random message r of the same length as m and sends Enc(sk; r) to the adversary.(b) If c = 1, the challenger sends Enc(sk; m) to the adversary.

and m 1 A
= r A , m 1 B = r B .The challenger sends Enc(sk A , sk B ; m a A , m b B ) to the adversary.4. The adversary splits into two non-communicating parties A and B. 5.The challenger sends sk A to A and sk B to B. 6.A outputs a bit a ′ and B outputs a bit b ′ .The adversary wins if a ′ = a and b ′ = b.

A and B. 4 .
The challenger sends x A , y a A to A and x B , y b B to B. 5. A outputs a bit a ′ and B outputs a bit b ′ .The adversary wins if a ′ = a and b ′ = b.
For a distribution D, the notation x ← D denotes sampling an element from D; for a set S, x ← S denotes sampling an element uniformly at random from S. For distributions D, D ′ , we write D ≈ D ′ and D ≡ D ′ to indicate computational and statistical indistinguishability, respectively.We denote by C d the Clifford group for dimension d, i.e., the set of d-dimensional unitary operators that conjugate d-dimensional generalized Pauli matrices to d-dimensional generalized Pauli matrices.If the dimension is clear from the context, we simply write C.

Figure 1 :
Figure1: CP-Expt CP,Adv,Ver (λ).The challenger samples f ← F λ , creates the quantum implementation σ = CP(f ), and sends it to the adversary.The adversary maps this to a state ρ A B on the two registers A, B, and sends ρ A B back to the challenger, along with (descriptions of) families of quantum circuits A and B on A and B respectively.The challenger runs Ver λ (f, A) ⊗ Ver λ (f, B) on ρ A,B , and outputs 1 if both outcomes are 1.

Lemma 3 .
For any adversary A, Pr[A wins in Hybrid 1] = Pr[A wins in Hybrid 2] .

Lemma 4 .
For any adversary A for Hybrids 2 and 3, there exists a negligible function negl such that, for all λ, Pr[A wins in Hybrid 2] − Pr[A wins in Hybrid 3] ≤ negl(λ) .

2 .
The challenger chooses a random bit b ← {0, 1}.Next, it measures measures {Π, I − Π}; if the measurement rejects, abort and output a random bit b ′ ← {0, 1}.Otherwise, the challenger applies W b to (A, B), and returns B to the adversary.3. The adversary outputs a guess b ′ .We define the distinguishing advantage of the adversary to be |Pr[b ′ = b] − 1/2|.

Figure 2 :
Figure2: Rand-Expt Adv (n, λ).The challenger first generates random strings x, θ ← {0, 1} 10n+λ , r 0 , s 0 ← {0, 1} n and random matrices U, V ← {0, 1} n×(10n+λ) .It then computes r 1 and s 1 as U x and V x respectively.The challenger samples random bits a and b, and sends the state |x θ along with r a and s b to the adversary.The adversary then computes a quantum state ρ A,B and circuit descriptions A and B, and sends (A, B, ρ A,B ) back to the challenger.The challenger measures A θ,U and B θ,V on ρ A,B , obtaining outcomes a ′ and b ′ .The adversary wins if a ′ = a and b ′ = b.

Figure 4 :
Figure4: UE-Expt Enc,Adv (λ).The challenger samples a secret encryption key sk, while the adversary decides on a message m and sends it to the challenger.The resulting internal state of the adversary is τ , which will be provided to the next part of the adversary.The challenger samples a fresh random message m 0 , sets m 1 := m, and encrypts m c for c ← {0, 1} using sk.The challenger sends the encryption σ to the adversary, who maps this to a state ρ A B on the two registers A, B and returns ρ A B to the challenger, together with descriptions of (families of) quantum circuits A and B on A and B, respectively, indexed by keys.The challenger runs A sk and B sk on ρ A B , obtaining outcomes a ′ and b ′ .The adversary wins if a ′ = b ′ = c.

6 .
define the circuit Ãθ ′ ,U ′ d as follows: (a) Let θ A , θ B ∈ {0, 1} 11λ ′ +1 be the two vectors such that T θ A = T θ B = θ ′ .Let θ A be whichever vector has the first differing bit between θ A and θ B equal to d; similarly let θ B be the vector which has 1 − d at the first differing location.(b) Let sk A := (θ A , U ′ , pad) where pad is a random string of length λ − 11(λ ′ ) 2 − 11λ ′ − 1. (c) Return the output of running A sk A on the input state.Define Bθ ′ ,V ′ d similarly.Red samples d ← {0, 1} and sends ρ A,B and Ãd , Bd to the challenger.7. The challenger measures Ãθ,U d and Bθ,V d on ρ A,B , obtaining outcomes a ′ and b ′ .The reduction wins if a ′ = a and b ′ = b.
• (Correctness) For all sk A , sk B ∈ {0, 1} λ and m A ∈ {0, 1} nA , m B ∈ {0, 1} nB ,Dec(0, sk A ; Enc(sk A , sk B ; m A , m B )) → m A and Dec(1, sk B ; Enc(sk A , sk B ; m A , m B )) → m B .The reader may be wondering whether the security guarantees of UE or cUE imply standard CPA security.For UE, it is straightforward to see that Definition 6 implies CPA security: An adversary breaking CPA encryption can be used in the UE game to recover a guess for the challenge bit c.Then the UE adversary can simply set A and B to be families of circuits that always output c.On the other hand, for cUE (Definition 7) the natural reduction implies that no adversary can simultaneously guess both challenges -leaving open the possibility that the adversary can guess one of the challenges.It is therefore not clear whether cUE security implies CPA security for each message separately.