不可克隆密码学：无界共谋与超高效影子层析的不可能性 (Unclonable Cryptography with Unbounded Collusions and Impossibility of Hyperefficient Shadow Tomography)

Quantum no-cloning theorem gives rise to the intriguing possibility of quantum copy protection where we encode a program or functionality in a quantum state such that a user in possession of k copies cannot create k+1 copies, for any k. Introduced by Aaronson (CCC'09) over a decade ago, copy protection has proven to be notoriously hard to achieve. Previous work has been able to achieve copy-protection for various functionalities only in restricted models: (i) in the bounded collusion setting where k -> k+1 security is achieved for a-priori fixed collusion bound k (in the plain model with the same computational assumptions as ours, by Liu, Liu, Qian, Zhandry [TCC'22]), or, (ii) only k -> 2k security is achieved (relative to a structured quantum oracle, by Aaronson [CCC'09]). In this work, we give the first unbounded collusion-resistant (i.e. multiple-copy secure) copy-protection schemes, answering the long-standing open question of constructing such schemes, raised by multiple previous works starting with Aaronson (CCC'09). More specifically, we obtain the following results. - We construct (i) public-key encryption, (ii) public-key functional encryption, (iii) signature and (iv) pseudorandom function schemes whose keys are copy-protected against unbounded collusions in the plain model (i.e. without any idealized oracles), assuming (post-quantum) subexponentially secure iO and LWE. - We show that any unlearnable functionality can be copy-protected against unbounded collusions, relative to a classical oracle. - As a corollary of our results, we rule out the existence of hyperefficient quantum shadow tomography, * even given non-black-box access to the measurements, assuming subexponentially secure iO and LWE, or, * unconditionally relative to a quantumly accessible classical oracle, and hence answer an open question by Aaronson (STOC'18).

翻译：量子不可克隆定理催生了量子复制保护这一引人入胜的可能性，即我们可以将程序或功能编码在量子态中，使得拥有k个副本的用户无法创建k+1个副本（对任意k均成立）。由Aaronson（CCC'09）于十多年前提出的复制保护已被证明极难实现。先前的工作仅在受限模型中实现了多种功能的复制保护：（i）在有界共谋场景下，针对预先固定的共谋界k实现了k -> k+1安全性（在普通模型中，基于与我们相同的计算假设，由Liu、Liu、Qian、Zhandry [TCC'22]完成）；或（ii）仅实现了k -> 2k安全性（相对于结构化量子预言机，由Aaronson [CCC'09]完成）。在本工作中，我们首次提出了抗无界共谋（即多副本安全）的复制保护方案，回应了自Aaronson（CCC'09）以来多个工作提出的长期开放性问题。具体而言，我们取得了以下成果： - 我们在普通模型（即无需任何理想化预言机）中构建了（i）公钥加密、（ii）公钥功能加密、（iii）签名及（iv）伪随机函数方案，其密钥可抵抗无界共谋的复制攻击，假设（后量子）亚指数安全的iO与LWE成立。 - 我们证明任何不可学习的功能均可实现抗无界共谋的复制保护（相对于经典预言机）。 - 作为推论，我们排除了超高效量子影子层析存在的可能性： * 即使给定对测量的非黑盒访问权限，假设亚指数安全的iO与LWE成立；或 * 无条件地相对于量子可访问的经典预言机成立，从而回答了Aaronson（STOC'18）提出的开放性问题。