Patent Application
20240372696
The present disclosure generally relates to the field of tracers for detecting if a decoder device is executing a pirated copy of a decryption key acquired from one or more traitor users.
The threat of quantum computers requires re-evaluation of some of the core aspects of modern cryptography. Due to Shor's algorithm, cryptosystems based on factoring or discrete logs will be insecure. Even for cryptosystems based on so-called “post-quantum” building blocks, quantum computing may also yield new threat models, such as superposition attacks.
A perhaps more subtle issue is the following: even if the building blocks are quantum-immune and the threat model remains the same, the classical proof may not hold quantumly. Indeed, a classical proof converts a classical adversary into a classical algorithm for some underlying hard problem, while a post-quantum proof must convert a quantum adversary into a quantum algorithm. What works for classical adversaries may not work for quantum adversaries. The canonical example of a proof technique that does not translate is rewinding, which is known to be problematic quantumly due to the no-cloning theorem. (A different example is the quantum random oracle model, though this model is conceptually closer to the superposition attacks mentioned above.) Rewinding is most often discussed in the context of interactive proofs, where it is used to extract information from the adversary that would remain hidden against straight-line procedures. In this context, a number of positive results have been achieved quantumly.
There are certain cases where rewinding arises, perhaps implicitly, in settings other than interactive proofs:
When moving to the quantum setting for traitor tracing, Zhandry shows that if the pirate decoder contains a quantum state, then the classical tracing algorithms are no longer guaranteed to work. The malicious users of course want to design their decoder in such a way as to avoid tracing, and would therefore be incentivized to design a quantum state decoder to evade tracing. Being able to trace such quantum state decoders is therefore the natural model to consider in the post-quantum setting. Zhandry provides an initial positive result, showing how to trace even quantum decoders for schemes in the Private Linear Broadcast Encryption (PLBE) framework, when the identity space is polynomial size. (Another limitation of Zhandry's work is that the PLBE must support public encryption for all distributions used during tracing, which is not true of the known succinct LWE-based scheme.) However, the techniques are incapable of handling other important traitor tracing approaches, in particular:
Thus, these important cases of traitor tracing and the iO-diO equivalence were previously open questions in the quantum decoder/auxiliary input setting.
We show the following results:
We then design new algorithms for the model, for the instances arising from the aforementioned open problems. This step is entirely classical, and while the algorithms may not be trivial, they are fairly simple. Combining our results together, we achieve the following results:
Non-limiting and non-exhaustive examples are described with reference to the following figures.
The following description sets forth exemplary aspects of the present disclosure. It should be recognized, however, that such description is not intended as a limitation on the scope of the present disclosure. Rather, the description also encompasses combinations and modifications to those exemplary aspects described herein.
Essentially all modern classical traitor tracing algorithms can be framed as follows. There is a collection ={Dq
of distributions of ciphertexts, and the adversary produces a decoder subject to the following guarantees:
Abstracting out the details of generating the various distributions and estimating their success probability, we arrive at a model we might call the Globally Consistent Hidden Partition model, where the tracer simply queries (potentially adaptively) on various qi∈ and receives in response real numbers oi ∈[0, 1]. We are guaranteed that any oi,oj which correspond to queries qi,qj lying in the same part of the partition Π will be close, that qi=α will give “large” oi, and that qi∈Ω will give “small” oi. The tracer then takes these o; and uses them to learn information about the partition.
Example: PLBE. To make things concrete, we now illustrate how this view captures private linear broadcast encryption (PLBE). Here, there are N users, with identities 1, . . . , N. For any q∈[0,N], one can encrypt to the set [q]={1, . . . , q}. Users in q will be able to decrypt, while users outside of q will not. An “honest” ciphertext is an encryption to all users, q=N. Moreover, any coalition of users will be unable to distinguish encryptions to [a] and [b], unless the coalition contains a user in the half-open interval (a,b]. In the view above, we would therefore have =[0,N], α=N, and Ω={0}. For a coalition of users a1<a2< . . . <at ∈[N], the partition Π therefore consists of the intervals [0,a1], (a1,a2], (a2,a3], . . . , (at,N].
To trace, we split into two cases. In the case where N is polynomial, one simply estimates the success probabilities o0, o1, . . . , oN on queries 0, 1, . . . , N. The usefulness of the decoder implies that oN>>0, while PLBE security implies that o0≈0. Therefore, there must exist a q such that |oq−1−oq|>>0. But since oi must be constant on the intervals in Π, we know that q=ai for some i. Thus we have identified a member of the coalition.
If N is exponential, then we cannot simply do a linear scan. However, a variant of a binary search will work, as shown in Boyle, Chung, and Pass as well as Nishimaki et al. In the binary search, we recurse left if there is a large gap between the pivot and the left value, while we recurse right if there is a large gap between the pivot and the right value. Importantly, we must make sure to pivot both left and right if there is a large gap in both directions. Otherwise, there is a possibility that every time we recurse, the gap gets divided by 2, and after a polynomial number of steps the gap is negligible but we have yet to accuse a user. Fortunately, it is proved by those works that there will never be more branches in the binary search than there are users in the coalition, so the overall search still takes polynomial time.
When we move to allowing a quantum decoder, we must be much more careful. There are several issues, first pointed out by Zhandry. First is definitional: the success probability of the decoder is not necessarily known (nor even knowable) until it is measured, and any measurement necessarily alters the quantum state. Care must be taken to appropriately define traitor tracing to handle cases where the decoder may be in superposition of both high success probability and low success probability. Zhandry shows how to handle these definitional issues.
The second issue has to do with rewinding, which happens at two levels. First, estimating success probability on a distribution classically involves running the decoder on various samples from the distribution. But this implicitly requires being able to return the decoder to its original state every time, to ensure independent trials from the same distribution. As mentioned above, quantumly rewinding is problematic. In particular, each trial may alter the state of the decoder. Zhandry demonstrates that the classical approach of repeated sampling cannot, in general, yield an estimate of the decoder's success probability. Fortunately, Zhandry shows how to develop a quantum-compatible success probability estimation routine based on a technique of Marriott and Watrous.
Note that Zhandry's procedure requires security to hold when the adversary gets an arbitrary polynomial number of tracing ciphertexts; this is not the case for traitor tracing from LWE. We inherit this limitation, and this is why we still cannot handle succinct traitor tracing from LWE.
A second level is that multiple success probabilities will have to be estimated, for various distributions of inputs. In the classical setting, it is assumed that each estimate of success probability is applied to the same initial decoder; in other words, the decoder is rewound to its initial state. (The usual terminology is that the decode is “stateless.”). Otherwise, how can we make sense of gaps between estimated success probabilities, if the success probabilities has since changed and the previous estimates are no longer valid.
Zhandry gives a first step toward overcoming this problem, by showing that a local consistency property holds: if two consecutive estimates of success probabilities are on computationally indistinguishable distributions, then the estimated success probabilities will be close. However, estimated probabilities that are not consecutive may not obey this property. This gives rise to a variant of the tracing model above, which we will call the Locally Consistent Hidden Partition Model, that is identical to the Globally Consistent model above, except that (1) oi,oj corresponding to qi,qj in the same part are guaranteed close only if |i−j|≤1, and (2) qi=α is guaranteed to yield a large ri only on the first query i=1. The good news is that the linear scan algorithm for PLBE with polynomial identity space fits within this model (provided the scan starts at N and goes to 0), allowing Zhandry to trace this particular case. On the other hand, the model seems inherently limited to PLBE: during any sequence of probability estimates, the estimate outcomes may be the sequence 1, 1, 1, . . . , 1, 0, 0, 0, . . . . Such a sequence would satisfy the local consistency requirements, as long as the jump from 1 to 0 happens the first time a distribution Dq for q∈Ω is tested. But for a polynomial-length sequence, only a log number of bits of information can be extracted, namely the location of the jump between 1 and 0. Thus this model is incapable of handling a variety of traitor tracing scenarios, such as
A starting point for our results is the recent work of Chiesa, Ma, Spooner, and Zhandry. They provide a powerful new rewinding technique, where they show that in some sense it is possible to “repair” a quantum state after a measurement. They apply their technique to the setting of interactive proofs, where they repair the quantum state of the adversary in order to rewind the it many times. In this work, we show how to adapt the rewinding technique to our setting.
Before getting into the details of our approach, we highlight some conceptual differences between our settings:
In order to simplify the task of designing new tracing protocols to overcome these challenges, we propose an intermediate model which we call the Back One Step (BOS) model. The BOS model allows us to abstract away the complicated techniques of state repair in order to give a clean model of what the technique should be capable of. This model will then allow us to design novel tracing algorithms. Importantly, the task of designing algorithm in the model will be entirely classical, with all the quantum aspects hidden beneath the abstraction.
The Model. We now describe the BOS model: there is a collection of queries available. There is moreover a potentially stateful oracle which contains a secret partition Π of
. The oracle accepts a sequence of queries q1, . . . , qt ∈
, and answers queries with a bit oi ∈{0, 1}. Note that we descretized the oi, to make the model simpler. We impose the following constraints:
We next briefly describe how the process works for tracing PLBE; for the other results see the main body of the paper.
The case of PLBE. As explained above, in the case of PLBE, we have =[0, N], α=N, Ω={0}, and Π={[0, a1], (a1, a2], (a2, a3], . . . , (at, N]}. Our goal is to recover one of the ai.
We know if the first query is on α=N, then the response is oN=1. Likewise, we know if we ever query on 0, the response is o0=0. In the classical case, we would identify an ai via a binary search. We first assign a pivot to be N/2, and query on N/2. If the query response is oN/2=1, we know that at least one ai lies in the interval [1, N/2], so we can recurse on the interval [0, N/2]. If the query response is ON/2=0, then we know at least one ai lies in the interval [N/2+1, N], and so we can recurse on the interval [N/2, N].
In the BOS model, we can try the same: after querying on N and receiving response 1, we query on N/2 and receive response oN/2. If oN/2=1, we know by the rules of the BOS model that there is an ai in the interval [1, N/2], and if oN/2=0, we know by the rules of the BOS model that there is an ai in the interval [N/2+1, N]. Moreover, in the case oN/2=1, we actually have the correct setup to recurse on ′=[0, N/2] by setting α′=N/2, Ω′={0}, and Π′ to be the partition of
′ induced by
. Indeed by local consistency, since the last query was on N/2=α′ and the response was 1, if the next query is on α′ the response will be 1, guaranteeing a large response for the recursion. Small value on the sink, local consistency, and single step rewinding carry over as well.
On the other hand, let us see what happens if we try to recurse on [N/2, N] in the case oN/2=0. We would naturally set ′=[N/2, N], α′=N, Ω={N/2}. We note that
local consistency and single step rewinding still carry over to this case. Moreover, since the penultimate query was on N=α′, single step rewinding guarantees that we get a large value on α′ if it is the next query.
This leaves small values on sink. Initially, it is true that querying on the sink N/2 gives 0, as desired. But importantly this only holds initially, where the BOS model requires the sink to give 0 always. We can see where this leads to trouble by taking the recursion a couple steps model. The next step is to query on 3N/4, receiving o3N/4. Suppose o3N/4=1. Then we recuse left on the interval ″=[N/2, 3N/4] and query on 5N/8. Suppose again that o5N/8=1, so we recurse on the interval [N/2,5N/8]. At this point, we would want that Ω′″={N/2}. However, our last query on N/2 was three queries ago (with 3N/4 and 5N/2 between). Therefore, oN/2 may have changed, and there is no longer any guarantee of having small values on the sinks. Without a small value on the sinks, the recursion will fail.
One attempt to fix this problem is, after querying on 3N/4 and receiving o3N/4=1, we insert a query on N/2. By single step rewinding, we have, as desired, that the result is oN/2=1. However, this strategy fails when we move to the query on 5N/8. Suppose now that o5N/8=0, meaning we recurse right on the interval ′″=[5N/8, 3N/4]. Unfortunately, by inserting the new query on N/2, the most recent query on 3N/4 was now three queries ago (being followed by N/2 and 5N/8). Therefore, we no longer have the guarantee that querying on the new source α′″=3N/4 gives a 1, and in fact it could be that all future queries give a 0, which clearly does not allow for extracting any information.
We now explain our solution. If oN/2=1, we recurse on [0, N/2] as we would classically. In the case oN/2=0, we still query on 3N/4 to get o3N/4. Here, if o3N/4=1, we cannot recurse on the interval [N/2, 3N/4]. However, we can recurse on the interval ′=[0, 3N/4], since now Ω′={0}=Q and so we guarantee small values on sinks throughout, not just on the next query.
What if o3N/4=0? In this case, we update the pivot to 7N/8 as if we were recursing to the right. Importantly, however, we always keep the bottom of the domain as 0 to ensure small values on the sink. So if o7N/8 gives 1, we recurse on the interval [0, 7N/8]. If o7N/8=0, we update the pivot to 15N/16, and so on.
With this new algorithm, we can prove that we do indeed preserve all the properties of the BOS model in each step of the recursion, and will eventually reach the case where the interval is [0, a] and the pivot is a−1, and the last two queries were on a, a−1 giving oa=1, oa−1=0. We output a, as local consistency implies that a is one of the endpoints of the intervals in Π. Moreover, we can prove termination in a polynomial number of steps, namely O(t log2 N) where t is the number of ai
We assume basic familiarity with quantum computation. We distinguish between classical probabilistic polynomial time (PPT) algorithms and quantum polynomial time (QPT) algorithms. Sometimes we will consider programs that consist of a quantum state. Formally, these will consist of a quantum circuit C, and and a quantum auxiliary input aux. To evaluate the program on input x, one evaluates C on |x⊗aux. We will denote such programs by |P
and the evaluation of such programs as |P
(x).
Almost Projective Measurements. We state a property of general measurements due to zhandry that captures when a measurement is “close” to being projective, in the sense that sequential applications of the measurement yield similar outcomes.
A real-valued measurement M=(Mp)p is (ϵ, δ)-almost projective if applying M twice in a row to a register (initially containing any state φ produces measurement outcomes p, p′ where Pr[|p−p′|≤ϵ]≥1−δ.
Quantum State Repair. We now recall quantum state repair from Chiesa, Ma, Spooner, and Zhandry.
[Chiesa et al., Lemma 4.10] Given a projective measurement P on register that has outcomes in set S of size N, an (ϵ, δ)-almost projective measurement M on
, and T∈
, s∈S, p∈[0,1], there exists a procedure RepairT,p,sM,P on
such that:
Then Pr[|p−p′|>2ϵ]≤Nδ+N/T+4√δ.
In other words, since M is almost projective, applying M twice in a row will give outcomes p, p′ that are close. However, if P is applied in between these two measurements, there are no more guarantees on the closeness of p, p′. However, by applying Repair before the second application of M, we can once again ensure closeness of p, p′.
Mixtures of Projective Measurements. The following is taken from Zhandry. We consider the following abstract setup. We have a collection ={
i}i∈
of binary outcome projective measurements
i=(Pi,Qi) over the same Hilbert space
. Here, Pi corresponds to output 0, and Qi corresponds to output 1. We will assume we can efficiently measure the
i for superpositions of i, meaning we can efficiently perform the following projective measurement over
⊗
:
Here, we call a collection of projective measurements, and call
the control. For a distribution D over
, let
D be the POVM which samples a random i←D, applies the measurement
i, and outputs the resulting bit. We call
D a mixture of projective measurements. The POVM is given by the matrices (PD,QD) where
Next, for a∈ and interval [b,c]⊂
, denote the distance between a and [b,c] as |a−[b,c]|:=minx∈[b,c] |a−x|. For a∈[b,c], the distance is 0 and for a∉[b,c], the distance is max(a−c,b−a). Let D0, D1 be two distributions over
, with cumulative density functions ƒ0, ƒ1, respectively. Let ϵ∈
. The Shift distance with parameter ϵ is defined as:
Let M= and N=(Nj)
be real-valued quantum measurements over the same quantum system
. The shift distance between M, N, denoted Δϵ(M, N) is defined as
Now, if D=(PD,QD) is a mixture of projective measurements, we note that QD=I−PD, and therefore PD, QD commute. In this case,
D has a projective implementation, denoted ProjImp(
D), which is defined as follows. Let S be the set of eigenvalues of PD, and Ri for i the projectors onto the associated eigenspaces. Then ProjImp(
D) is the projective measurement (Pi)i∈S. Note that S⊂[0, 1]. Also note that applying
D is equivalent to the following: first apply ProjImp(
D) to obtain outcome p, then interpret p as a probability and output 1 probability p.
[Zhandry, Theorem 6.2] For any ϵ, δ, , D, there exists an algorithm
operating on
and making quantum queries to
, D which additionally outputs a number in some set S⊂[0, 1] such that:
[Zhandry, Theorem 6.5] Let ρ be an efficiently constructible mixed state over , and D0, D1 efficiently sampleable, computationally indistinguishable distributions. For any inverse polynomial ϵ, there exists a negligible δ such that Δϵ(ProjImp(
D
D
A fingerprinting code is used to fingerprint data. Fingerprinting codes have long been used to build traitor tracing schemes. Note, however, that the fingerprinting codes explicitly cited in the literature are usually binary codes. Yet, the schemes provided can be generalized to non-binary codes, but require a different kind of code called an identifiable parent property (IPP) code. We will use this generalization in order to abstract more schemes from the literature, so we here define IPP codes rather than fingerprinting codes. Note that the two notions coincide for binary codes.
An IPP code is a pair (GenIPP, TraceIPP) of PPT algorithms such that:
For a set of codewords C⊂, let F(C) be the “feasible set” of C, which is defined as follows. A codeword w*∈Σ∪{?} is in F(C) if, for each position j∈[
], either wj*=? or there exists a codeword w∈C such that wj*=wj. In other words, F(C) consists of all codewords in C, plus all codewords that can be obtained from C by potentially using a different codeword character in each position. Additionally, any entry can be set to ?. The condition of being in the feasible set of C is also called the “marking condition”.
Where IPP codes differ from fingerprinting codes is in this marking condition. For a fingerprinting code, in any position where {wj}w∈C is not a single character, wj* is allowed to be anything. This condition better reflects the use in fingerprinting. However, the marketing condition for IPP codes better reflects the use in traitor tracing.
An IPP code (GenIPP, TraceIPP) is δ-robust if, for all (potentially unbounded) algorithms IPP, for all polynomially bounded N, c, and for all S⊂[N],
IPP wins the following experiment with probability at most 2−λ:
We now discuss security, adapting the software decoder model version of the definition of Zhandry. For a decoder |D, two messages m0, m1, and public key pk, consider the operation on |D
:
Let TT=(M0, M1) be the POVM given by this operation, which we call the associated POVM to the decoder.
TT has a projective implementation ProjImp(
TT)={Mp′}p, where each Mp′ corresponds to the probability distribution on {0, 1} that is 1 with probability p.
Tracing Experiment. For an adversary TT, function ϵ(⋅), and security parameter λ, we consider the following experiment on
TT:
A tracing system is quantum traceable if for all quantum polynomial time adversaries TT and for every inverse polynomial ϵ, there is a negligible negl such that Pr[FailϵTT]<negl(λ) and Pr[LiveϵTT∧¬SuccessϵTT]−negl(λ).
Variations. The usual setting of traitor tracing has I=[N] for a polynomial N. In this case, we often set N to be an explicit input to GenTT, and the parameters of the scheme may depend on N. A bounded collusion traitor tracing scheme additionally has another parameter c given to GenTT, and security only is required to hold if |S|≤c. Traitor tracing with embedded identities has for ={0, 1}n for integer n. Therefore, identities are now polynomial-length strings. Here, n may be an input to GenTT and the parameters of the scheme may depend on n. Note that some versions of embedded identity traitor tracing will have
={0, 1}*, meaning there is no a priori bound on the length of identity strings. Finally, we consider schemes with private tracing, where GenTT outputs a special tracing key tk, which is inputted into TraceTT, and security only holds if tk is kept secret.
We now define differing-inputs obfuscation (diO) in the quantum setting. To the best of our knowledge, diO has not been defined in the quantum setting, and it turns out that the task is somewhat subtle. Below, we adapt the definition of traitor tracing for quantum decoders to give a strong definition of quantum-secure diO.
Let m(λ), n(λ), s(λ) be polynomials, and consider a quantum polynomial time algorithm Samp(1λ) which samples (1) a pair of circuits C0, C1 of size s(λ), input length n(λ) and output length m(λ), and (2) a quantum side information aux. Consider a distinguishing adversary . Consider the following operation on aux:
Let diO=(M0, M1) be the POVM given by this operation, which we call the associated POVM to the sampler.
diO has a projective implementation ProjImp(
diO)={Mp′}p, where each Mp′ corresponds to probability distribution on {0, 1} that is 1 with probability p.
Now consider an extractor ε which takes as input C0, C1, aux as well as a parameter ϵ whose reciprocal is inputted in unary (so 11/ϵ), so that if ε runs in polynomial time, then it runs in time polynomial in λ whenever ϵ is an inverse polynomial in λ. We define the following experiment, parameterized by S, , ε as well as a function ϵ:
we say that event LiveϵdiO happens.
[Post-Quantum Differing-inputs Obfuscation] A post-quantum differing-inputs obfuscator (diO) is a PPT algorithm diO such that:
A partition Π of a set T is a collection of subsets Π={S1, . . . , Sn} such that T=∪iSi and the Si are disjoint. The sets Si are called parts of Π. Given partition Π={S1, . . . , Sn} of T and Π′={S1′, . . . , Sn′′,} of T′, we can define the product partition Π×Π′ of T×T′ as Π×Π′={Si×Sj}(i,j)∈[n]×[n′]. We can similarly define the product of several partitions.
The basic setup. Fix a set , α∈
a distinguished element, and Ω⊆
a distinguished subset. Also fix a relation R(Π, w) that takes as input partitions Π of
and strings w∈{0, 1}* and outputs a bit.
Given , α, Ω, R as above, consider a QPT S(1λ), called a quantum hidden partition sampler (QHPS) that samples (|P
, Π,
, aux)←S(1λ) such that:
Now consider two experiments involving a QHPS S and a quantum adversary . The first, called the sink indistinguishability experiment, works as follows:
The second experiment, called the partition indisitnguishability experiment, works as follows:
S is a valid QHPS if for any QPT adversaries, 0,
1, there exists negligible functions negl0, negl1 such that the probability
0 wins the sink indistinguishability experiment is at most negl0(λ), and the probability
1 wins the partition indistinguishability experiment is at most negl1(λ).
Consider the POVM which runs (x, b)←(α), and run |P
(x) to obtain a bit b′. The POVM outputs 1 if b′=b. This POVM has a projective implementation, which we denote ProjImp(
(α)). Now, consider the following experiment with algorithm
:
Let LiveϵBOS be the event that
The event LiveϵBOS corresponds to |P being able to predict the bit b with advantage at least ϵ. Let SuccessϵBOS be the event that
outputs a w≠⊥ such that R(Π, w)=1, and let FailϵBOS be the event that
outputs a w≠⊥ such that R(Π, w)=0.
, α, Ω, R is solvable if there exists a
(|P
, ϵ) that runs in time polynomial in λ and 1/ϵ and makes quantum queries to
, such that for any valid QHPS S and inverse-polynomial ϵ there is a negligible negl such that Pr[LiveϵBOS ∧¬SuccessϵBOS]≤negl(λ) and Pr[FailϵBOS]≤negl(λ). In other words,
should almost always succeed if |P
starts out live, and
should almost never output a w that is not accepted by R (outputting ⊥ instead if it cannot succeed).
Now consider a stateful interactive potentially randomized algorithm O which takes as a secret input a partition H, and then receives a sequence of queries q1, q2, . . . ∈ and produces a corresponding sequence of outputs o1, o2, . . . ∈{0,1}. We will denote an interactive algorithm
interacting with O and outputting w as w←
⇔O(Π).
O is a BOS oracle if, for any partition Π and any poly-length sequence of queries q1, q2, . . . , O(Π) satisfies each of the following guarantees:
A PPT algorithm solves R (with the associated
, α, Ω) in the BOS model if, for any BOS oracle O and any partition Π of Q, then Pr[R(Π, w)=1:w←A⇔O(Π)]=1.
Here, we present the main technical tool of this paper:
For any R, , α, R, Ω, if there exists an algorithm
which solves R in the BOS model in polynomial time, then R,
, α, Ω is solvable. We now prove Theorem 4.3. We first assume without loss of generality that
has the following properties:
We describe the algorithm given a normal form
: Let
be any normal form algorithm in the BOS model. Consider a quantum program |P
stored in register
. First, define the following:
We now prove that solves
, α, Ω, R. We first need the following lemma:
Suppose does not abort in Step 2e. Then except with negligible probability, every query qi that
responds with 1 will have pq
does not abort in Step 2e only if pq
except with negligible probability. First consider replacing EST(qi)=APIϵ′/4,δPred,(q
(qi)), giving outcome p′. By Lemma 2, since Δϵ′/4(EST(qi), ProjImp(
(qi))≤δ, we have |p′−pq
Now suppose LiveBOS happens. In this case, by Lemma 2, Δϵ′/4(EST(α), ProjImp((α)))≤δ. This means, except with negligible probability δ, pα=pq
will not abort in Step 2e. Therefore, by Lemma 4.3,
presents a BOS oracle to
, meaning
outputs a w such that R(Π, w)=1. Thus LiveϵBOS∧¬SuccessϵBOS happens except with negligible probability.
We now turn to proving that FailϵBOS happens with negligible probability. For FailϵBOS to happen, we must have (1) that does not abort in Step 2e, and (2) that
fails to output a w such that R(Π,w)=1. But by Lemma 4.3, if
does not abort, then it presents a BOS oracle to
except with negligible probability, meaning R(Π, w)=1. Thus FailϵBOS happens with negligible probability. This completes the proof of Theorem 4.3.
5 Post-Quantum Tracing with Embedded Identities
Here, we show how to build embedded identity traitor tracing from functional encryption, specifically a special case called private linear broadcast encryption (PLBE). PLBE with polynomial index space was first formalized by Boneh, Sahai, and Waters to build ordinary traitor tracing in the classical setting, and the result was upgraded to the quantum setting by Zhandry, though only in the setting of polynomial identity spaces. Using PLBE with exponential index space to build embedded identity traitor tracing was proposed by Nishimaki, Wichs, and Zhandry for the classical setting. Here, we upgrade their result to the quantum setting.
Let ΓFE be a functional encryption scheme. We construct the traitor tracing scheme ΓTT=(GenTT, DeriveTT, EncTT, DecTT, TraceTT), where we define GenTT, DeriveTT, EncTT, DecTT below:
We use the hidden partition Bnd, αBnd, ΩBnd, RBnd. We now explain how Construction 5 leads to an instance of the quantum hidden partition problem relative to this partition. We interpret an adversary
TT interacting in the tracing experiment as a quantum hidden partition sampler STT, where |P
is the decoder |D
outputted by
TT, Π is the contiguous partition whose boundaries are the identities queried by
TT. Finally
, on input q, encrypts (q, mb) for a random choice of b to get ciphertext c, and outputs (c, b).
Assuming ΓFE is an adaptively secure FE scheme, the QHPS STT is valid for Bnd, αBnd, ΩBnd, RBnd. The unique sink is 0, and note that encryptions of (0, m) computationally hide m, since the only secret keys are fid for id>0. Thus the probability the adversary can predict b (and therefore win the sink indistinguishability experiment) is at most ½+negl.
Next, observe that encryptions of (q, m) and (q′, m) for q′>q decrypt identically under any secret key except those for id in the interval [q, q′−1]. Thus, by FE security, the encryptions are indistinguishable unless the adversary has an id∈[q, q′−1], meaning no efficient adversary can distinguish query responses from the same part of Π. Therefore, the probability of winning the partition indistinguishability experiment is ½+negl.
Assuming ΓFE is an adaptively secure FE scheme Construction 5 is quantum traceable. Let(|P
, 11/ϵ) be the algorithm guaranteed by Theorem 4.3 and the existence of
Bnd. Then set TraceTT(pk, m0, m1, 11/ϵ, |D
) to be
(|D
, 11/ϵ) where
is the sampler above obtained from pk, m0, m1. Now consider the events LiveϵBOS, SuccessϵBOS, FailϵBOS for the QHPS described above, and the events LiveϵTT, SuccessϵTT, FailϵBOS for the tracing experiment with ΓTT from Construction 5. We see that the events exactly coincide; in particular D(α) is identical to running EncTT(pk, mb) for a random choice of b. Thus, by the guarantees of Theorem 4.3, ΓTT in Construction 5 is secure.
6 Traitor Tracing from Collusion-Resistant IPP Codes
It was previously shown how to construct collusion-secure traitor tracing with constant-sized ciphertexts from binary fingerprinting codes. The scheme, described momentarily, naturally generalizes to larger alphabets (at the cost of larger ciphertexts). However, the code needed for the generalization is not a fingerprinting code, but a collusion resistant identifiable parent property (IPP) code, which has a different marking condition. It turns out that IPP codes and fingerprinting codes coincide for binary codes. But by generalizing to larger alphabets (and using IPP codes) we can abstract other existing combinatorial schemes in the literature such as Chor, Fiat, and Naor.
We now recall the scheme, which is parameterized by a parameter t.
Let (GenPK, EncPK, DecPK) be a public key encryption scheme and (GenIPP, TraceIPP) a δ-robust fingerprinting code. Define the following algorithms, which depend on a parameter σ that may be a function of δ, λ, :
We can easily mimic the above strategy in the quantum setting to derive a measurement for each i which computes wi*. The problem is that the measurements for each i might be incompatible, which means that the tracing algorithm cannot apply these measurements simultaneously. If applied sequentially, it could be that after computing the first several positions, the decoder becomes dead. There is no guarantee that an entire codeword w* can be computed.
More abstractly, any tracing algorithm that works within the globally consistent hidden partition model is likely only able to extract logarithmically many bits, which is insufficient for obtaining a full codeword for the fingerprinting code.
We will assume the alphabet Σ is equal to [1, s]. Let Prod=[0, s]
and αProd=
. Let QδProd be the set of vectors w where the number of 0's is more than δ
. We call a partition Π of
valid if it is equal to a product partition Π1× . . . ×Π
where each Πi is a contiguous partition of [0, s].
Given a valid partition, let (ai,j)j for ∈[
] the boundaries of Πi. Let RδProd(Π, w) be the following relation:
The first condition means that we trivially win for all non-valid Π, and can focus on the case of valid Π, where the goal is to find a string w that does not have too many ? and matches the boundaries of the product partition.
We now explain how the tracing experiment for Construction 6 leads to a QHPS relative to (Prod, αProd, ΩδProd, RδProd). Given an adversary
TT, we define the QHPS SProd as follows: first run the tracing experiment with
TT, until
TT outputs (|D
, m0*, m1*
). Then set |P
=|D
. Let S be the set of id queried by
TT, and let S′ be the corresponding set of codewords in the IPP code given to the users in S. Let Π be the valid partition generated by S′.
Finally, let (q) be the algorithm which does the following: choose a random subset T⊆[
] of size t. Choose a random bit b, and let m=mb*. Then let mj,
∈T be a t-out-of-t secret sharing of m: mj are uniform conditioned on ⊕j∈Tmj=m. For each j∈T, σ∈Σ, compute
Output c=(T, {cj,σ}j∈T,σ∈Σ) and b. In other words, (q) outputs an encryption of a random choice of mb*, except that it replaces the ciphertext components cj,σ with junk (importantly, independent of b) if qj<σ.
The QHPS then outputs (|P, Π,
).
Assuming ΓPK is semantically secure and either (1) t≥(1−δ) or (2)
is negligible, then SProd is valid for Prod, αProd, ΩProd, RProd. Let q∈ΩProd. Then q has strictly more than δ
zeros; call this set
. If T∩
≠0, then the share mj inside T∩
is information-theoretically hidden given c. Since the mj form a t-out-of-t secret sharing, this means if T∩
≠∅, then b is statistically hidden. Thus, to prove the sink indistinguishability problem is hard, we just need to show that T∩
≠0 with overwhelming probability. A simple combinatorial argument shows that
If t>(1−δ), then
If t=(1−δ), then (1−δ)
−t=0. In either case, Pr[T∩
≠∅]=1. Alternatively, if
is negligible, then Pr[T∩≠∅]≥1−negl. Thus, under the conditions of Lemma 6.1, the sink indisitnguishability problem is hard.
We now turn to the partition indisitnguishability experiment. Suppose q1, q2 are in the same part of Π, and consider the distributions (q1) and
(q2). We will argue they are indistinguishable. Toward that end, consider some j∈[
]. Since q1, q2 are in the same part of Π, then q1,j and q2,j are in the same part of Πj. If we assume w log that q1,j≤q2,j, then Πi has no boundary in (q1,j,q2,j]. Now consider a ciphertext component cj,σ. If σ≤q1,j, then the distributions of cj,σ under
(q1) and
(q2) are identical. Likewise if σ>q2,j. On the other hand, for σ∈(q1,j, q2,j),
TT does not have the secret key dkj,σ. By the semantic security of ΓPK, the adversary cannot distinguish cj,σ under
(qi) and
(q2).
By a hybrid over all j, no efficient adversary can distinguish (q1) from
(q2), proving the hardness of the partition indistinguishability experiment.
[BOS Algorithm Prod] Initialize x∈[0,
], and set x=
. Now query on x, which by definition gives 1. Then do the following for i=1, . . . ,
+1:
Prod solves (Prod, αProd, ΩProd, RδProd) in the BOS model. We maintain the invariant that each time we exit an iteration of the main loop over i, the last query was on x and the response was 1. There are two cases:
We also see that if we exit the loop of Step 1 via Step 1c, then the adjacent queries x and x′ resulted in different outcomes, meaning a is a boundary of Πi.
The result is that the final x is a string where all the non-zero terms are boundaries of the respective component partition, and x∉ΩProd (since the query output was no 0), meaning the number of 0's in x is at most δ. Thus when we replace 0's with ?'s to get w, we have that RProd(Π, w)=1. We finally note that the number of queries
Prod makes is at most O(s
), which is polynomial.
Assuming ΓPK is a secure PKE scheme, Construction 6 is quantum traceable.
7 Tracing Embedded Identities with Short Ciphertexts
In Construction 5 from Section 5, the string x is n bits long, where n is the bit length of identities. It is also part of the message inputted to EncFE of the underlying functional encryption scheme. Therefore, the ciphertext size must grow with the bit length of identities. As observed by Nishimaki, Wichs, and Zhandry, this is not inherent to traitor tracing. They instead propose a different structure where ciphertexts may be independent of the identity length. We now recall their construction:
Let ΓFE be a functional encryption scheme. We construct the traitor tracing scheme ΓTT=(GenTT, DeriveTT, EncTT, DecTT, TraceTT), where we define GenTT, DeriveTT, EncTT, DecTT below:
Note here that x∈[0,2N]=[0,2λ+1] and i∈[n], so the inputs to EncTT are bounded by O(λ) bits long, independent of n. Thus if ΓFE has succinct ciphertexts, so will ΓTT.
Quantumly, we can employ the same strategy to recover τ, id1. However, recovering the rest of the bits of id will not work as in the classical case. This is because the probabilities p0, p1 may change as we further interrogate the decoder, so we cannot simply compare with the previous value. We therefore need to develop a new quantum algorithm for the problem.
Let QShort=[n]×[0,2N] where N=2λ. Let αShort=(1,2N). Let ΩShort={(i,0)}. Consider a sequence (τ(1), id(1)), . . . , (τ(t), id(t)) where id(j)∈{0, 1}* and τ(j) ∈[N] with τ(1)<τ(2)< . . . <τ(t). This gives rise to a partition Π={S0, . . . , St} of QShort consisting of sets Sj={(i,x):2τ(j)idi(j)≤x<2τ(j+1)−idi(j+1)} for j=1, . . . , t−1, S0={(i,x): x<2τ(1)−idi(1)}, and St={(i,x):2τ(t)−idi(t)≤x}. We call Π of this form contiguous, and we call (τ(j), id(j)) the boundaries of Π. Let RShort(Π, w) be the following relation:
We now explain how Construction 7 leads to the quantum hidden partition problem relative to this partition. We interpret an adversary TT interacting in the tracing experiment as a quantum hidden partition sampler STT, where |P
is the decoder |D
outputted by
TT, Π is the contiguous partition whose boundaries are the identities queried by
TT. Finally
, on input (i, q), encrypts ((i, q), mb) for a random choice of b to get ciphertext c, and outputs (c, b).
Assuming ΓFE is a secure FE scheme, the QHPS is valid for Short, αShort, ΩShort, RShort The sinks have the form (i, 0), and note that encryptions of ((i, 0), m) computationally hide m, since the only secret keys are fid for id>0. Thus the probability the adversary can predict b (and therefore win the sink indistinguishability experiment) is at most ½+negl.
Next, observe that encryptions of ((i, q), m) and ((i′, q′), m) decrypt identically if (i, q) and (i′, q′) are in the same part of H. Thus, by FE security, the encryptions are indistinguishable if they lie in the same part. Therefore, the probability of winning the partition indistinguishability experiment is ½+negl.
[BOS Algorithm Short] Initialize integers a, b∈[0, 2N] and i∈[n]. Set a=2N, b=0, and query on (1, a), which by definition gives response o=1. Then do the following for at most O(kn log2 N) steps, where k in an upper bound on the number of parts in Π:
Short solves (Short, αShort, ΩShort, RShort) in the BOS model. We will eventually find a, b=a−1 where the previous query was on (1, a−1) and gave 0, and the query before was on (1,a) and gave 1. This is Step 3b. By local consistency, a=2τ−id1 for some (τ, id) that defined the partition. We then query on (1, a) again, which by single step rewinding gives 1.
It remains to show that id is obtained in its entirety. This is done by trying to ascertain if (i, 2τ−1) lies in the same part as (1, a) or (1, a−1). This is done by querying on (i,2τ−1). If the result is 0 (Step 3(b)ii), we know by local consistency (and the fact that the last query was on (1, a) and gave 1) that (i, 2τ−1) cannot be in the same part as (1, a). So we set idi=0 and move on to the next bit of id. In order to guarantee that the last query response was 1, we query again on (1, a), which, by single-step rewinding will give 1.
If o=1, we do not immediately learn which part (i, 2τ−1) is in. So we also query on (i, 2τ−2) to get response o′ (Step 3(b)iiiA). If the response is now 0, we know that (i,2τ−1) and (i, 2τ−2) are in different parts, meaning (i, 2τ−1) is in the same part as (1, a). Thus we set idi=1 and move on to the next bit of id (Step 3(b)iiiB). But first we query again on (i, 2τ−1), which by single-step rewinding gives 1. Then we query on (1, a), which gives 1 by local consistency.
If on the other hand the response o′ is once again 1, then we learn nothing about idi. However, in this case, we have exactly the setup of a new hidden partition with N=τ−1. In particular, we know there must be a (τ′, id′) with τ′<τ. We therefore proceed back to Step 1 but with the new N=τ−1. A simple inductive argument shows that we will eventually find such a (τ′, id′). This completes the proof.
Assuming FE, Construction 7 is quantum traceable. Let (|P
, 11/ϵ) be the algorithm guaranteed by Theorem 4.3 and the existence of
Short. Then set TraceTT(pk, m0,m1, 11/ϵ, |D
) to be
(|D
, 11/ϵ) where
is the sampler obtained from pk, m0, m1 described in Section 7.1. Now consider the events LiveϵBOS, SuccessϵBOS, FailϵBOS for the QHPS described in Section 7.1, and the events LiveϵTT, SuccessϵTT, FailϵTT for the tracing experiment with ΓTT from Construction 7; in particular D(α) is identical to running EncTT(pk, mb) for a random choice of b. We see that the events exactly coincide. Thus, by the guarantees of Theorem 4.3, ΓTT in Construction 7 is secure.
Referring to
In some aspects, the Translator Algorithm and the Query Generator Algorithm may be instantiated, forming a computer tracer apparatus. The Translator Algorithm may receive a decoder program and generate responses to queries based on a set of rules, which may include a state repair procedure. In some cases, the Translator Algorithm may produce a final output based on the final output from the Query Generator Algorithm and store this as the identity of one or more traitor users.
Upon receiving a query from the Query Generator Algorithm, the Translator Algorithm may perform the state repair procedure or may not, depending on the queries received by that time. The Translator Algorithm may then respond to the query with 0 or 1 based on a computation involving the query and the decoder.
The state repair procedure may receive as input a quantum decoder as a quantum system and two quantum measurements M1, M2 whose outputs are real numbers between 0 and 1, and a threshold. The state repair procedure may modify the decoder in order to increase the value produced by M1. The state repair procedure may then alternatively apply M1, M2, M1, M2, . . . , and terminate when an application of M1 produces an output above the threshold.
In some aspects, the translator algorithm may include a probability estimation procedure. This procedure may execute based on a query, denoted as qi, and using the decoder program. The outcome of this procedure, denoted as pqi, may be a real number between 0 and 1. Based on previous outputs of the probability estimation procedure, the translator algorithm may set an output, denoted as oqi, to be either 0 or 1.
In some cases, the query generator algorithm may execute by initializing two integers, denoted as a and b, to be a value N and 0, respectively, where N is determined based on system parameters. The query generator algorithm may then produce a query, denoted as qi, which is set to b. Upon obtaining a response, denoted as o, the query generator algorithm may adjust the integers a and b based on the response. If the response o equals 1, the query generator algorithm may set a to be b and b to be 0, and then proceed to generate a new query. Otherwise, if b equals a minus 1, the query generator algorithm may output a as the final output. If b does not equal a minus 1, the query generator algorithm may produce a new query qi, set b to be the integer part of the sum of a and b divided by 2, and then proceed to generate a new query. This process may continue until a final output is produced by the query generator algorithm.
To accomplish this, the parties may use any of the computer systems, including the communications networks, described herein.
In some embodiments the client device 104 embodies one or more computing devices embodied in hardware, software, firmware, and/or any combination thereof. The client device 104 may be embodied by a user device configured to provide various functionality. In this regard, the client device 104 may embody a conventional computing environment that interacts with the quantum computing system 102. Non-limiting examples of a client device 104 include a specially configured mobile device, tablet, smartphone, personal computer, laptop, enterprise terminal, and/or the like. In some embodiments, the client device 104 is configured entirely by specially configured software application(s) installed to and/or otherwise executable via the client device 104 to provide various functionality for accessing and/or otherwise controlling the quantum computing system 102 as described herein. In various embodiments, the client device 104 is a conventional and/or classical computer.
In some embodiments, the client device 104 includes specially configured hardware, software, firmware, and/or a combination thereof, that enables access to and/or configuration of the quantum computing system 102. In some embodiments, the client device 104 provides access to functionality for generating and/or retrieving a quantum program for execution via a quantum computer of the quantum computing system 102. In this regard, the client device 104 may receive one or more user input(s) for constructing and/or that otherwise embody the quantum program to be executed. In this regard, a user of the client device 104 may interact with the client device 104 to construct a quantum circuit, store the quantum circuit, and submitting the quantum circuit for execution via a quantum computing system, such as the quantum computing system 102. In some embodiments, the client device 104 is embodied by a user-facing device of the quantum computing system 102, for example such that communications can occur without requiring the communications network 106.
Alternatively or additionally, in some embodiments, the client device 104 enables user input and/or output for accessing the quantum computing system 102 to execute a quantum program. In some embodiments, the client device 104 communicates with one or more computing devices of the quantum computing system 102, such as a controller, that generates and/or compiles instructions for executing via a quantum computer. For example, in some embodiments, the quantum computing system 102 includes a controller that receives the quantum program from the client device 104 and compiles it to produce control system instructions embodying hardware manipulation instructions for running the quantum program on a specific quantum computer. In some embodiments, the controller is embodied by one or more computing devices external from but communicable with the quantum computing system 102. For example, the controller may be embodied by a circuit compiler embodied in a dedicated computing system embodied in hardware, software, firmware, and/or a combination thereof internal or external to the quantum computing environment 102, dedicated hardware communicable with a quantum computer of the quantum computing system 102, software executing on a computing system communicable with the quantum computer of the quantum computing system 102, and/or the like,
The quantum computing system 102 may include one or more computing device(s) that enable compilation of a quantum program and/or use of a quantum computer for preforming a quantum program. In some embodiments, for example, the quantum computing system 102 includes a controller, a quantum computing environment, and various devices for physically manipulating the quantum computer. The quantum computing environment may include an ion trap architecture (e.g., linear, loop, and/or the like) for storing and manipulating qubits for gating. The controller may embody one or more computing device(s) embodied in hardware, software, firmware, and/or a combination thereof, that control the various devices that manipulate the quantum computer. Such control device(s) may include laser(s), cooling device(s), and/or the like. In some embodiments, the controller embodies a conventional computing system, for example specially configured via one or more specialized software application(s) to execute one or more process(es) that determine positions for the qubits at various time steps and/or instructions for repositioning the qubits to such position. For example, the controller may determine position assignments for each qubit at various time steps, and/or instructions embodying swap commands to cause the qubits to reach such positions at each of the appropriate time steps. In some embodiments, one or more device(s) of the quantum computing system 102 (e.g., a controller) receive data from the client device 104 that embodies the quantum program, instructions to be performed to manipulate the quantum computer, and/or the like.
Although components are described with respect to functional limitations, it should be understood that the particular implementations necessarily include the user of particular computing hardware. It should also be understood that certain of the components described herein may include similar or common hardware. For example, two sets of circuitry may both leverage use of the same processor(s), network interface(s), storage medium(s), and/or the like, to perform their associated functions, such that duplicate hardware is not required for each set of circuitry. The user of the term “circuitry” as used herein with respect to components of the apparatuses described herein should therefore be understood to include particular hardware configured to perform the functions associated with the particular circuitry as described herein.
Particularly, the term “circuitry” should be understood broadly to include hardware and, in some embodiments, software for configuring the hardware. For example, in some embodiments, “circuitry” includes processing circuitry, storage media, network interfaces, input/output devices, and/or the like. Alternatively or additionally, in some embodiments, other elements of the apparatus 300 may provide or supplement the functionality of another particular set of circuitry. For example, the processor 302 in some embodiments provides processing functionality to any of the sets of circuitry, the memory 304 provides storage functionality to any of the sets of circuitry, the communications circuitry 308 provides network interface functionality to any of the sets of circuitry, and/or the like.
In some embodiments, the processor 302 (and/or co-processor or any other processing circuitry assisting or otherwise associated with the processor) may be in communication with the memory 304 via a bus for passing information among components of the apparatus 300. In some embodiments, for example, the memory 304 is non-transitory and may include, for example, one or more volatile and/or non-volatile memories. In other words, for example, the memory 304 in some embodiments includes or embodies an electronic storage device (e.g., a computer readable storage medium). In some embodiments, the memory 304 is configured to store information, data, content, applications, instructions, or the like, for enabling the apparatus 300 to carry out various functions in accordance with example embodiments of the present disclosure.
The processor 302 may be embodied in a number of different ways. For example, in some example embodiments, the processor 302 includes one or more processing devices configured to perform independently. Additionally or alternatively, in some embodiments, the processor 302 includes one or more processor(s) configured in tandem via a bus to enable independent execution of instructions, pipelining, and/or multithreading. The use of the terms “processor” and “processing circuitry” may be understood to include a single core processor, a multi-core processor, multiple processors internal to the apparatus 300, and/or one or more remote or “cloud” processor(s) external to the apparatus 300.
In an example embodiment, the processor 302 may be configured to execute instructions stored in the memory 304 or otherwise accessible to the processor. Alternatively or additionally, the processor 302 in some embodiments is configured to execute hard-coded functionality. As such, whether configured by hardware or software methods, or by a combination thereof, the processor 302 may represent an entity (e.g., physically embodied in circuitry) capable of performing operations according to an embodiment of the present disclosure while configured accordingly. Alternatively or additionally, as another example in some example embodiments, when the processor 302 is embodied as an executor of software instructions, the instructions may specifically configure the processor 302 to perform the algorithms embodied in the specific operations described herein when such instructions are executed.
As one particular example, the processor 302 may be configured to perform various operations associated with improved traitor tracing, for example as described with respect to operation of the quantum computing system 102 and/or as described further herein.
In some embodiments, the apparatus 300 includes input/output circuitry 306 that may, in turn, be in communication with processor 302 to provide output to the user and, in some embodiments, to receive an indication of a user input. The input/output circuitry 306 may comprise one or more user interface(s) and may include a display that may comprise the interface(s) rendered as a web user interface, an application user interface, a user device, a backend system, or the like. In some embodiments, the input/output circuitry 306 may also include a keyboard, a mouse, a joystick, a touch screen, touch areas, soft keys a microphone, a speaker, or other input/output mechanisms. The processor 302 and/or input/output circuitry 306 comprising the processor may be configured to control one or more functions of one or more user interface elements through computer program instructions (e.g., software and/or firmware) stored on a memory accessible to the processor (e.g., memory 304, and/or the like). In some embodiments, the input/output circuitry 306 includes or utilizes a user-facing application to provide input/output functionality to a client device and/or other display associated with a user.
The communications circuitry 308 may be any means such as a device or circuitry embodied in either hardware or a combination of hardware and software that is configured to receive and/or transmit data from/to a network and/or any other device, circuitry, or module in communication with the apparatus 300. In this regard, the communications circuitry 308 may include, for example, a network interface for enabling communications with a wired or wireless communication network. For example, the communications circuitry 308 may include one or more network interface card(s), antenna(s), bus(es), switch(es), router(s), modem(s), and supporting hardware, firmware, and/or software, or any other device suitable for enabling communications via one or more communication network(s). Additionally or alternatively, the communications circuitry 308 may include circuitry for interacting with the antenna(s) and/or other hardware or software to cause transmission of signals via the antenna(s) or to handle receipt of signals received via the antenna(s). In some embodiments, the communications circuitry 308 enables transmission to and/or receipt of data from a client device in communication with the apparatus 300.
It should be appreciated that, in some embodiments, qubit positioning circuitry 310 may include a separate processor, specially configured field programmable gate array (FPGA), or a specially programmed application specific integrated circuit (ASIC). Additionally or alternatively, in some embodiments, one or more of the sets of circuitries 302-310 are combinable. Alternatively or additionally, in some embodiments, one or more of the sets of circuitry perform some or all of the functionality described associated with another component. For example, in some embodiments, one or more of the sets of circuitry 302-310 are combined into a single module embodied in hardware, software, firmware, and/or a combination thereof. Similarly, in some embodiments, one or more of the sets of circuitry, for example qubit positioning circuitry 310 is combined such that the processor 302 performs one or more of the operations described above with respect to each of these modules.
Referring to
Referring now to
A number of implementations have been described. Nevertheless, it will be understood that various modifications may be made without departing from the spirit and scope of the disclosure. Accordingly, other implementations are within the scope of the following claims.
Although an example processing system has been described above, implementations of the subject matter and the functional operations described herein can be implemented in other types of digital electronic circuitry, or in computer software, firmware, or hardware, including the structures disclosed in this specification and their structural equivalents, or in combinations of one or more of them.
Embodiments of the subject matter and the operations described herein can be implemented in digital electronic circuitry, or in computer software, firmware, or hardware, including the structures disclosed in this specification and their structural equivalents, or in combinations of one or more of them. Embodiments of the subject matter described herein can be implemented as one or more computer programs, i.e., one or more modules of computer program instructions, encoded on computer storage medium for execution by, or to control the operation of, information/data processing apparatus. Alternatively, or in addition, the program instructions can be encoded on an artificially-generated propagated signal, e.g., a machine-generated electrical, optical, or electromagnetic signal, which is generated to encode information/data for transmission to suitable receiver apparatus for execution by an information/data processing apparatus. A computer storage medium can be, or be included in, a computer-readable storage device, a computer-readable storage substrate, a random or serial access memory array or device, or a combination of one or more of them. Moreover, while a computer storage medium is not a propagated signal, a computer storage medium can be a source or destination of computer program instructions encoded in an artificially-generated propagated signal. The computer storage medium can also be, or be included in, one or more separate physical components or media (e.g., multiple CDs, disks, or other storage devices).
The operations described herein can be implemented as operations performed by an information/data processing apparatus on information/data stored on one or more computer-readable storage devices or received from other sources.
The term “data processing apparatus” encompasses all kinds of apparatus, devices, and machines for processing data, including by way of example a programmable processor, a computer, a system on a chip, or multiple ones, or combinations, of the foregoing. The apparatus can include special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit). The apparatus can also include, in addition to hardware, code that creates an execution environment for the computer program in question, e.g., code that constitutes processor firmware, a protocol stack, a repository management system, an operating system, a cross-platform runtime environment, a virtual machine, or a combination of one or more of them. The apparatus and execution environment can realize various different computing model infrastructures, such as web services, distributed computing and grid computing infrastructures.
A computer program (also known as a program, software, software application, script, or code) can be written in any form of programming language, including compiled or interpreted languages, declarative or procedural languages, and it can be deployed in any form, including as a stand-alone program or as a module, component, subroutine, object, or other unit suitable for use in a computing environment. A computer program may, but need not, correspond to a file in a file system. A program can be stored in a portion of a file that holds other programs or information/data (e.g., one or more scripts stored in a markup language document), in a single file dedicated to the program in question, or in multiple coordinated files (e.g., files that store one or more modules, sub-programs, or portions of code). A computer program can be deployed to be executed on one computer or on multiple computers that are located at one site or distributed across multiple sites and interconnected by a communication network.
The processes and logic flows described herein can be performed by one or more programmable processors executing one or more computer programs to perform actions by operating on input information/data and generating output. Processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer. Generally, a processor will receive instructions and information/data from a read-only memory or a random access memory or both. The essential elements of a computer are a processor for performing actions in accordance with instructions and one or more memory devices for storing instructions and data. Generally, a computer will also include, or be operatively coupled to receive information/data from or transfer information/data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto-optical disks, or optical disks. However, a computer need not have such devices. Devices suitable for storing computer program instructions and information/data include all forms of non-volatile memory, media and memory devices, including by way of example semiconductor memory devices, e.g., EPROM, EEPROM, and flash memory devices; magnetic disks, e.g., internal hard disks or removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks. The processor and the memory can be supplemented by, or incorporated in, special purpose logic circuitry.
To provide for interaction with a user, embodiments of the subject matter described herein can be implemented on a computer having a display device, e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor, for displaying information/data to the user and a keyboard and a pointing device, e.g., a mouse or a trackball, by which the user can provide input to the computer. Other kinds of devices can be used to provide for interaction with a user as well; for example, feedback provided to the user can be any form of sensory feedback, e.g., visual feedback, auditory feedback, or tactile feedback; and input from the user can be received in any form, including acoustic, speech, or tactile input. In addition, a computer can interact with a user by sending documents to and receiving documents from a device that is used by the user; for example, by sending web pages to a web browser on a user's client device in response to requests received from the web browser.
Embodiments of the subject matter described herein can be implemented in a computing system that includes a back-end component, e.g., as an information/data server, or that includes a middleware component, e.g., an application server, or that includes a front-end component, e.g., a client computer having a graphical user interface or a web browser through which a user can interact with an implementation of the subject matter described herein, or any combination of one or more such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital information/data communication, e.g., a communication network. Examples of communication networks include a local area network (“LAN”) and a wide area network (“WAN”), an inter-network (e.g., the Internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks).
The computing system can include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. In some embodiments, a server transmits information/data (e.g., an HTML page) to a client device (e.g., for purposes of displaying information/data to and receiving user input from a user interacting with the client device). Information/data generated at the client device (e.g., a result of the user interaction) can be received from the client device at the server.
While this specification contains many specific implementation details, these should not be construed as limitations on the scope of any disclosures or of what may be claimed, but rather as descriptions of features specific to particular embodiments of particular disclosures. Certain features that are described herein in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination. Moreover, although features may be described above as acting in certain combinations and even initially claimed as such, one or more features from a claimed combination can in some cases be excised from the combination, and the claimed combination may be directed to a subcombination or variation of a subcombination.
Similarly, while operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In certain circumstances, multitasking and parallel processing may be advantageous. Moreover, the separation of various system components in the embodiments described above should not be understood as requiring such separation in all embodiments, and it should be understood that the described program components and systems can generally be integrated together in a single software product or packaged into multiple software products.
Thus, particular embodiments of the subject matter have been described. Other embodiments are within the scope of the following claims. In some cases, the actions recited in the claims can be performed in a different order and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In certain implementations, multitasking and parallel processing may be advantageous.
This application claims the benefit of U.S. Provisional Application Ser. No. 63/499,259 filed May 1, 2023, the content of which is incorporated by reference herein in its entirety.
| Number | Date | Country | |
|---|---|---|---|
| 63499259 | May 2023 | US |
