WO2022031624A1

WO2022031624A1 - Quantum traitor tracing of pirate decoders

Info

Publication number: WO2022031624A1
Application number: PCT/US2021/044229
Authority: WO
Inventors: Mark ZHANDRY
Original assignee: Ntt Research Inc.
Priority date: 2020-08-03
Filing date: 2021-08-02
Publication date: 2022-02-10

Abstract

Systems, methods, network devices, and machine-readable media are disclosed for a quantum tracer configured for identifying encryption keys being used in an unauthorized, or pirate, decoder apparatus in the setting of public key private linear broadcast encryption. Various embodiments can be operated with classical or quantum decoders.

Description

Quantum Traitor Tracing of Pirate Decoders

Inventor

Mark Zhandry

[001] CROSS-REFERENCE TO RELATED APPLICATIONS

[002] This application claims the benefit of U.S. Provisional Application No. 63/060,206, filed August 3, 2020, the entire contents of which are incorporated herein by reference.

[003] FIELD OF THE INVENTION

[004] The present disclosure relates to systems, methods, network devices, and machine- readable media for traitor tracing in a quantum context.

[005] BACKGROUND OF THE INVENTION

[006] Traitor tracing helps protect content distributors from piracy. In such a system, every legitimate user has their own secret decryption key which can decrypt ciphertexts. The content distributor is worried about a user distributing their key to unauthorized users. Of course, there is nothing to actually prevent a user from distributing their key. Instead, in the event that the distributor discovers an unauthorized decryption key, the distributor would like to identify which user the key belonged to, so that user (deemed a "traitor") can be prosecuted and/or have their credentials revoked.

[007] This "tracing" should be possible even if the user attempts to hide the key, say, by embedding it in an obfuscated pirate decoder program. What's more, tracing should still identify a traitor even if many malicious users pool their keys into a single decoder in an attempt to confuse the tracing algorithm. Classical traitor tracing can be built rather easily from generic public key encryption, albeit with large ciphertexts. Therefore, the goal is typically to devise traitor tracing with small ciphertexts. Numerous number-theoretic and combinatorial schemes have been shown, with various trade-offs in terms of the other parameters of the system or the computational assumptions needed for security.

[008] Most of cryptography concerns several honest parties communicating with each other, while an adversary eavesdrops or manipulates the communication between them. Traitor tracing is in some sense the opposite: several dishonest parties (namely, the traitor(s) and the receiver of the pirate decoder) communicate, while the honest party (the content distributor) is intercepting this communication (the decoder). This role reversal makes traitor tracing a fascinating problem, as the very cryptographic techniques employed to help secure communication between honest parties — most relevant being program obfuscation — can be employed by the dishonest parties in an attempt to hide their identity and protect themselves from being traced.

[009] Quantum computers pose a looming threat to cryptography. By an unfortunate coincidence, the enhanced computational power of quantum computers allows for solving the exact mathematical problems, such as factoring and discrete log, underlying the bulk of public-key cryptography used today. The good news is that "quantum-safe" mathematical tools — such as lattices, multivariate equations, or isogenies — exist that can be used as a drop-in replacement. Nevertheless, many challenges remain.

[010] For example, if the traitor has a quantum computer, and is sending its decoder to a quantum recipient, the traitor could in principle create and send a decoder comprising a quantum state. The entire system may remain classical under normal operation: keys, ciphertexts, encryption, and decryption are all entirely classical and can be run on classical computers and classical networks. The attackers only ever receive classical communication from the honest parties. Even so, the quantum attackers can use a communication channel outside of the system: they can meet in person to exchange the decoder, or perhaps send the decoder over an outside quantum-enabled network. Thus, absolutely nothing the content distributor does can prevent the traitor from sending a quantum decoding device. [Oil] Existing traitor tracing results do not handle such quantum decoders. A quantum decoder can implement measures that explicitly evade traditional tracing algorithms. Classical tracing algorithms work by testing a decoder on a variety of different ciphertexts and examining the outputs. When moving to quantum decoders, the measurement principle in quantum mechanics means that extracting information from a quantum state may irreversibly alter it. This means, after potentially the first ciphertext is decrypted, the decoder's state may be irreversibly altered into a state that is no longer capable of decrypting, essentially self-destructing.

[012] A useful pirate decoder would likely not self-destruct on valid ciphertexts. However, crucially, all classical tracing algorithms will run the decoder on many invalid ciphertexts. A decoder could be implemented to self-destruct only when it identifies an invalid ciphertext. Existing classical tracing algorithms would fail in such a case.

[013] The above discussion means even the most basic of classical traitor tracing results are called into question in the setting of quantum decoders — for example, the aforementioned generic scheme from public key encryption.

[014] As such, classical tracing approaches cannot trace general quantum pirate decoders. Thus, new, inherently quantum tracing algorithms are needed. Given the inevitability of quantum computers, it is therefore imperative to develop traitor tracing definitions and schemes that are guaranteed to remain secure in the presence of quantum decoders.

[015] BRIEF DESCRIPTION OF THE DRAWINGS

[016] The accompanying drawings, which are included to provide further understanding and are incorporated in and constitute a part of this specification, illustrate disclosed embodiments, and together with the description, serve to explain the principles of the disclosed embodiments. In the drawings:

[017] Fig. 1 illustrates an example quantum method for identifying a pirate decoder.

[018] Fig. 2 illustrates an example system for performing quantum traitor tracing.

[019] Fig. 3 illustrates an example computer system architecture.

[020] Fig. 4 illustrates further details of an example computer system architecture.

[021] DETAILED DESCRIPTION

[022] This disclosure will make use of two formalisms for quantum measurements.

[023] The first, a positive operator valued measure (POVM), is a general form of quantum measurement. A POVM

is specified by a finite index set

and a set

of hermitian positive semidefinite matrices Mt with the normalization requirement The matrices are called items of the POVM. When applying a POVM

to a quantum state the result of the measurement is i with probability p_i =

The normalization requirements for

and imply that ∑i pi = 1, and

therefore this is indeed a probability distribution. We denote by

the distribution obtained by applying

to

[024] The POVM formalism describes the probabilities of various outcomes, but it does not specify how

is affected by measurement. Indeed, there will be many possible implementations of a measurement giving rise to the same probability distribution of outcomes, but resulting in different post-measurement states.

[025] To account for this, the second formalism we will use is simply called a quantum measurement. Here, a quantum measurement

is specified by a finite index set

and a set

of matrices E_i (not necessarily hermitian nor positive) such that

I. The matrices Ei are called measurement operators. When applying a quantum measurement to a quantum state the result of the measurement is i with

probability p_t = (ip\E? Ει\ψ) =|| Ει\ψ) ||². Conditioned on the outcome being i, the postmeasurement state is Ει\·ψ)/^ρι, where the factor ^fp[ is to ensure that the state is normalized.

[026] We note that any quantum measurement £ is associated with a POVM M = POVM(£ ) with Mi = EJEI. We will call £ an implementation of M. We note that while each quantum measurement implements exactly one POVM, each POVM may be implemented by many possible quantum measurements.

[027] A projective measurement is a quantum measurement where the Ei are projections: Ei are hermitian and satisfy E? = E We note that Ei = EjEi = I implies that EiE_j = 0 for i ≠ j.

[028] A projective POVM is a POVM where are projections. We note that the POVM associated with a projective measurement is projective. However, a projective POVM may be implemented by non-projective measurements. As with quantum measurements, a projective POVM will satisfy M_tM_j = 0 for i ≠ j.

[029] Private Linear Broadcast Encryption

[030] Our construction will be based on Private Linear Broadcast Encryption (PLBE), a framework put forward by Boneh, Sahai, and Waters. A PLBE scheme is a triple of probabilistic classical polynomial time algorithms (Gen' , Enc' , Dec') where:

[031] · Gen'(l^N , 1^λ) takes as input a number of users N and a security parameter A. It outputs a public key pk, plus N user secret keys ski for i e [N],

[032] · Enc'(pk,j, m) takes as input the public key, an index j G [0, TV], and a message m. It outputs a ciphertext c.

[033] · Dec' (ski, c) takes as input a secret key sk_t for user i and a ciphertext, and outputs a message m' or a special abort symbol 1.

[034] Correctness

[035] For correctness, we require that user i can decrypt ciphertexts with index j, so long as i ≤ j. That is there exists a negligible function negl(A) such that for every λ and N ≤ 2^λ, for every i G [N] and j ≥ i, we have that

[037] Security

[038] Indistinguishability security says that encryptions to j = 0 completely hide the

5 underlying message. A PLBE scheme (Gen', Enc', Dec') is indistinguishable secure if for all quantum polynomial time adversaries A, there exists a negligible function negl such that the probabilities A wins in the following game is at most 1/2 + negl(A): [039] • A gets A as input, and sends a number N represented in unary.

[040] • Run (pk, sk₁, ... , sk_N) <- Gen'(A, N), and send pk to A.

[041] • A is then allowed to make an arbitrary number of classical queries on identities i E [TV], to which it receives sk_t in response.

[042] • Next, A outputs a pair of messages

In response, choose a random bit b and send A the ciphertext c <- Enc'(pk,j = 0, nt_b).

[043] • A is allowed to make more queries on identities i E [TV], to which it receives sk_t in response.

[044] • Finally, A outputs a guess b' for b. Output "win" if and only if b' = b.

[045] Index hiding security says that encrypts to j — 1 and j are only distinguishable to an adversary that has the secret key for user j.

[046] A PLBE scheme (Gen', Enc', Dec') is index hiding secure if for all quantum polynomial time adversaries A, there exists a negligible function negl such that the probabilities A wins in the following game is at most 1/2 + negl(A):

[047] • A gets A as input, and sends a number N represented in unary.

[048] • Run (pk, sk₁, ... , sk_N) <- Gen'(A, N), and send pk to A

[049] • A is then allowed to make an arbitrary number of classical queries on identities i E [TV], to which it receives ski in response. Let S be the set of i queried during this phase.

[050] • Next, A outputs a pair of (j, m) for j E [TV] such that j g S. In response, choose a random bit b and send A the ciphertext c <- Enc'(pk,j — b, m) to index j — b [051] • A is allowed to make more queries on identities i E [JV]\y, to which it receives ski in response.

[052] • Finally, A outputs a guess b' for b. Output "win" if and only if b' = b.

[053] From PLBE to Traitor Tracing

[054] The first three algorithms of our traitor tracing construction (Gen, Enc, Dec, Trace) we be immediately derived from the PLBE scheme: Gen = Gen', Enc(pk, m) = Enc'(pk,j = N, nt), and Dec = Dec'. Correctness is immediate. In the following, we describe Trace. [055] The Quantum Algorithm Trace

[056] The tracing algorithm described herein is needed to trace quantum pirates. First, we briefly explain how to implement API using Black Box Projection queries.

[057] Concretely, let except that we augment the decoder with a qubit

originally set to |0). Let be another qubit, and

be a register containing a

superposition of ciphertexts. Consider the following measurement process on registers

[058] • Perform the map registers.

[059] • Make a Black Box Projection query using the registers as the query

registers. Let o be the result

[060] • Perform the map registers.

[061] • Output l — o.

[062] This measurement process has exactly the form of a collection of projective measurements

using the

registers as the control. For a decoder in its initial state (meaning is initialized to and for a given bit/ciphertext pair (b, c), the

corresponding measurement outputs 1 exactly when the decoder would output b.

[063] We now give our algorithm Trace

[064] 1. Let

[065] 2. Run is the following distribution:

[066] - Run

[067] - Compute

[068] - Output (b,c ).

[069] 3. If

, abort and output the empty set {}.

[070] 4. Otherwise, do the following: start by initializing S' = {}. Then for j = N to j = 1,

[071] - Compute

[072]

[073] Finally, output S'.

[074] The Algorithm

[075] We consider the following abstract setup. We have a collection of

binary outcome projective measurements over the same Hilbert space

Here, P_t corresponds to outputting 0, and corresponds to outputting 1. We will assume an efficient procedure for performing the measurements

"in superposition" over i. That is, there is an efficient procedure for implementing the following projective measurement over

[076]

[077] Here,

we call a collection of projective measurements, and call J the control. For a distribution D over be the following POVM:

[078] • Sample a random i <- D

[079] • Apply the measurement Output the resulting bit.

[080] We call

a mixture of projective measurements. The POVM is given by the matrices where

[082] In this section, we will address two questions:

[083] • Since has a binary outcome, there exists a projective implementation

Projlmp Can we efficiently approximate the measurement?

[084] • If are computationally indistinguishable, what does that say about the outcomes of

[085] Approximating Projective Implementations

[086] We address efficiently approximating the projective implementation

of a mixture of projective measurements

We note that in general the

exact measurement must be computationally infeasible, since in particular this setting captures the case of estimating classical probability distributions, which is infeasible to do exactly. Instead, we can hope to estimate the measurement. However, since the proof of existence of the measurement relied on eigen-decomposition of potentially exponentially large matrices, it is unclear a priori how to accomplish this.

[087] Toward that end, we develop a new algorithm API, which we will demonstrate efficiently approximates the projective implementation of We define three

subroutines:

[088] Controlled Projection

[089] Let

be a collection of projective measurements over a Hilbert space a distribution with random coin set . Let

We define the controlled projection, denoted

as the following: [091] In other words, acts on two sets of registers, one corresponding to a superposition over random coins r, and the other being The action of is to

use r as a control, to apply the corresponding projective measurement to

[092] Uniform Test

[093] We will abuse notation and let

for a set

to also denote the -dimensional Hilbert space. We define the uniform test, denoted , as I =

[095] We note that both the Controlled Projection and Uniform Test are projective measurements, while the Modified Controlled Projection is not projective.

[096] With reference to Fig. 1, the Algorithm API is disclosed.

[097] The algorithm is parameterized by a distribution D, collection of projective measurements

and real values 0 <

< 1, and is denoted as On input a

quantum state

over Hilbert space

it works as follows:

[098] 1. Initialize a new register

to the state

[099] 2. Initialize a classical list L = (0).

[100] 3. Repeat the following "main loop" a total of times:

[101] (a) Apply the controlled projection

over the joint system

, resulting in measurement outcome b_2i-1. Append b_2i-1 to the end of L.

[102] (b) Apply the Uniform Test to the system resulting in

measurement outcome b_2i. Append b_2i to the end of L.

[103] 4. Let t be the number of bit flips in the sequence L = 0, b₁, b₂, ... , b_2T), and let be the fraction of bit flips

[104] 5. If in the last iteration of the "main loop" b_2T = 1, repeat the "main loop" until the first time b_2i = 0.

[105] 6. Discard the

registers, and output

[106] In some embodiments, the systems and methods executing on a quantum computer tracer for detecting if a decoder device is executing a pirated copy of a decryption key acquired from a traitor comprise: executing an algorithm for measuring an estimation of p_i, the algorithm comprising: an outer loop, the outer loop further comprising: initializing a predetermined number of bits n based on a broadcast encryption algorithm; initializing n qubits in a uniform superposition; initializing a classical list with one element set as 0; executing an inner loop a number of times, the number of times being based on: a decoder success probability, a number of users (#of i's) in the system, and a tracing algorithm success probability; wherein the inner loop comprises: (a) based on the n qubits and the current /, creating a quantum state that is a superposition of ciphertexts for the broadcast encryption algorithm and querying the decoder on the created quantum state to determine if the decoder was successful, and appending a 0 or 1 to the classical list accordingly; and (b) executing a quantum measurement operation to determine if the n qubits are in uniform superposition, and appending a 0 or 1 to the classical list accordingly; terminating the inner loop; determining the number of bit flips from a 0 to 1 or 1 to a 0 in the classical list; dividing the number of bit flips by the bit length of the classical list to derive a fraction of bit flips; repeating steps (a) and (b) until (b) outputs a 0; outputting the derived fraction of bit flips as an estimation pr, terminating the outer loop; in sequential order of decreasing /, comparing each p, by identifying a magnitude difference between two adjacent estimations; and determining if the decryption key for user / is executed by the decoder based on the magnitude of the difference being larger than a predetermined threshold.

[107] Hardware Overview

[108] Fig. 2 illustrates an example system 100 for performing quantum traitor tracing according to this disclosure. As shown in Fig. 2, the system 100 implements or includes a quantum computing system 102, which includes at least one quantum circuit 104. In this example, each quantum circuit 104 includes or operates using multiple qubits 106 and multiple couplers 108 that provide connectivity between the qubits 106. Each quantum circuit 104 also includes one or more control devices 110 that can affect the qubits 106.

[109] Each qubit 106 denotes any suitable structure configured to implement a quantum bit. Any suitable physical implementations of the qubits 106 (now known or later developed) could be used, such as those that use photons, atoms, ions, atomic nuclei, electrons, optical lattices, Josephson junctions, or quantum dots. Each coupler 108 denotes any suitable structure configured to facilitate interactions between qubits. Any suitable physical implementations of the couplers 108 (now known or later developed) could be used, including those that allow interactions between two qubits 106 and those that allow interactions between more than two qubits 106. Each control device 110 denotes any suitable structure configured to change a state or other characteristic of one or more qubits. Any suitable physical implementations of the control devices 110 (now known or later developed) could be used, such as those that can alter the states of photons, atoms, ions, atomic nuclei, electrons, optical lattices, Josephson junctions, or quantum dots. In some embodiments, the control devices 110 can generate magnetic fields to alter the qubits 106.

[110] In some embodiments, the quantum computing system 102 can include at least one input control device 112 and at least one readout control device 114 that facilitate input/output communications between the quantum computing system 102 and a classical computing system 116. For example, the input control device 112 could receive input data defining a type of problem to be solved or data associated with the problem to be solved, and the readout control device 114 could facilitate read-out of the qubits 106 after the qubits 106 have reached their final computational states. Each control device 112, 114 includes any suitable structure facilitating interactions with an external computing device or system.

[111] In this example, the classical computing system 116 includes at least one processing device 118, at least one storage device 120, at least one communications unit 122, and at least one input/output (I/O) unit 124. The processing device 118 executes instructions that may be loaded into a memory 126. The processing device 118 includes any suitable number(s) and type(s) of processors or other devices in any suitable arrangement. Example types of processing devices 118 include microprocessors, microcontrollers, digital signal processors, field programmable gate arrays, application specific integrated circuits, and discrete circuitry.

[112] The memory device 126 and a persistent storage 128 are examples of storage devices 120, which represent any structure(s) capable of storing and facilitating retrieval of information (such as data, program code, and/or other suitable information on a temporary or permanent basis). The memory device 126 may represent a random access memory or any other suitable volatile or non-volatile storage device(s). The persistent storage 128 may contain one or more components or devices supporting longer-term storage of data, such as a read only memory, hard drive, flash memory, or optical disc.

[113] The communications unit 122 represents an interface that supports communications with other systems or devices. For example, the communications unit 122 could include a network interface card or a wireless transceiver facilitating communications over a wired or wireless network. The communications unit 122 may support communications through any suitable physical or wireless communication link(s).

[114] The I/O unit 124 allows for input and output of data. For example, the I/O unit 124 may provide a connection for user input through a keyboard, mouse, keypad, touchscreen, or other suitable input device. The I/O unit 124 may also send output to a display, printer, or other suitable output device.

[115] In some embodiments, the pirate decoder functions may performed by components of the classical computing system 116, while the quantum computing system 102 handles the traitor tracing routines. In other embodiments, the quantum computing system 102 operates as a standalone device (without a classical computing system 116). When implemented as a standalone device, the quantum computing system 102 may or may not be networked with or otherwise connected to other machines. In a networked deployment, the quantum computing system 102 may operate in the capacity of a server or a client machine in a client-server network environment or as a peer machine in a peer-to-peer or distributed network environment.

[116] Although Fig. 2 illustrates one example of a system 100 for performing traitor tracing, various changes may be made to Fig. 2. For example, while shown as being separate systems, various components of the quantum computing system 102 and the classical computing system 116 could be combined into a single apparatus or system. As a particular example, one, some, or all of the components of the classical computing system 116 could be used in the quantum computing system 102. This may allow, for instance, the quantum computing system 102 to transmit/receive data over at least one network via the communications unit(s) 122 or to transmit/receive I/O data via the I/O unit(s) 124.

[117] Figs. 3 and 4 depict example computer systems useful for implementing various embodiments described in the present disclosure. Various embodiments may be implemented, for example, using one or more computer systems, such as computer system 500 shown in Fig. 4. One or more computer system(s) 500 may be used, for example, to implement any of the embodiments discussed herein, as well as combinations and subcombinations thereof.

[118] As used herein, a computer system 500 may include one or more processors (also called central processing units, processing devices, or CPUs), such as a processor 504. Processor 504 may be connected to a communication infrastructure 506 (e.g., such as a bus).

[119] Computer system 500 may also include user input/output device(s) 503, such as monitors, keyboards, pointing devices, etc., which may communicate with communication infrastructure 506 through user input/output interface(s) 502. One or more of processors 504 may be a graphics processing unit (GPU). In an embodiment, a GPU may be a processor that is a specialized electronic circuit designed to process mathematically intensive applications. The GPU may have a parallel structure that is efficient for parallel processing of large blocks of data, such as mathematically intensive data common to computer graphics applications, images, videos, etc.

[120] Computer system 500 may also include a main memory 508, such as random-access memory (RAM). Main memory 508 may include one or more levels of cache. Main memory 508 may have stored therein control logic (i.e., computer software, instructions, etc.) and/or data. Computer system 500 may also include one or more secondary storage devices or secondary memory 510. Secondary memory 510 may include, for example, a hard disk drive 512 and/or a removable storage device or removable storage drive 514. Removable storage drive 514 may interact with a removable storage unit 518. Removable storage unit 518 may include a computer-usable or readable storage device having stored thereon computer software (control logic) and/or data. Removable storage drive 514 may read from and/or write to removable storage unit 518.

[121] Secondary memory 510 may include other means, devices, components, instrumentalities, or other approaches for allowing computer programs and/or other instructions and/or data to be accessed by computer system 500. Such means, devices, components, instrumentalities, or other approaches may include, for example, a removable storage unit 522 and an interface 520. Examples of the removable storage unit 522 and the interface 520 may include a program cartridge and cartridge interface, a removable memory chip (such as an EPROM or PROM) and associated socket, a memory stick and USB port, a memory card and associated memory card slot, and/or any other removable storage unit and associated interface.

[122] Computer system 500 may further include communications interface 524 (e.g., network interface). Communications interface 524 may enable computer system 500 to communicate and interact with any combination of external devices, external networks, external entities, etc. (individually and collectively referenced as remote device(s), network(s), entity(ies) 528). For example, communications interface 524 may allow computer system 500 to communicate with external or remote device(s), network(s), entity(ies) 528 over communications path 526, which may be wired and/or wireless (or a combination thereof), and which may include any combination of LANs, WANs, the Internet, etc. Control logic and/or data may be transmitted to and from computer system 500 via communications path 526.

[123] Computer system 500 may also be any of a personal digital assistant (PDA), desktop workstation, laptop or notebook computer, netbook, tablet, smartphone, smartwatch or other wearable devices, appliance, part of the I nternet-of -Things, and/or embedded system, to name a few non-limiting examples, or any combination thereof.

[124] Computer system 500 may be a client or server computing device, accessing or hosting any applications and/or data through any delivery paradigm, including but not limited to remote or distributed cloud computing solutions; local or on-premises software ("on-premise" cloud-based solutions); "as a service" models (e.g., content as a service (CaaS), digital content as a service (DCaaS), software as a service (SaaS), managed software as a service (MSaaS), platform as a service (PaaS), desktop as a service (DaaS), framework as a service (FaaS), backend as a service (BaaS), mobile backend as a service (MBaaS), infrastructure as a service (laaS), etc.); and/or a hybrid model including any combination of the foregoing examples or other services or delivery paradigms.

[125] Fig. 3 illustrates an example machine of a computer system 900 within which a set of instructions, for causing the machine to perform any one or more of the operations discussed herein, may be executed. In alternative implementations, the machine may be connected (e.g., networked) to other machines in a LAN, an intranet, an extranet, and/or the Internet. The machine may operate in the capacity of a server or a client machine in a client-server network environment, as a peer machine in a peer-to-peer (or distributed) network environment, or as a server or a client machine in a cloud computing infrastructure or environment.

[126] The machine may be a personal computer (PC), a tablet PC, a set-top box (STB), a Personal Digital Assistant (PDA), a cellular telephone, a web appliance, a server, a network router, a switch or bridge, a specialized application or network security appliance or device, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine. Further, while a single machine is illustrated, the term "machine" shall also be taken to include any collection of machines that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein.

[127] The example computer system 900 includes a processing device 902, a main memory 904 (e.g., read-only memory (ROM), flash memory, dynamic random-access memory (DRAM) such as synchronous DRAM (SDRAM), etc.), a static memory 906 (e.g., flash memory, static random-access memory (SRAM), etc.), and a data storage device 918, which communicate with each other via a bus 930.

[128] Processing device 902 represents one or more processing devices such as a microprocessor, a central processing unit, or the like. More particularly, the processing device may be complex instruction set computing (CISC) microprocessor, reduced instruction set computing (RISC) microprocessor, very long instruction word (VLIW) microprocessor, or processor implementing other instruction sets, or processors implementing a combination of instruction sets. Processing device 902 may also be one or more special-purpose processing devices such as an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like. The processing device 902 is configured to execute instructions 926 for performing the operations and steps discussed herein.

[129] The computer system 900 may further include a network interface device 908 to communicate over the network 920. The computer system 900 also may include a video display unit 910, an alphanumeric input device 912 (e.g., a keyboard), a cursor control device 914 (e.g., a mouse), a graphics processing unit 922, a signal generation device 916 (e.g., a speaker), graphics processing unit 922, video processing unit 928, and audio processing unit 932.

[130] The data storage device 918 may include a machine-readable medium 924 (also known as a computer-readable storage medium) on which is stored one or more sets of instructions 926 (e.g., software instructions) embodying any one or more of the operations described herein. The instructions 926 may also reside, completely or at least partially, within the main memory 904 and/or within the processing device 902 during execution thereof by the computer system 900, where the main memory 904 and the processing device 902 also constitute machine-readable storage media.

[131] In an example, the instructions 926 include instructions to implement operations and functionality corresponding to the disclosed subject matter. While the machine-readable storage medium 924 is shown in an example implementation to be a single medium, the term "machine-readable storage medium" should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions 926. The term "machine-readable storage medium" shall also be taken to include any medium that is capable of storing or encoding a set of instructions 926 for execution by the machine and that cause the machine to perform any one or more of the operations of the present disclosure. The term "machine- readable storage medium" shall accordingly be taken to include, but is not be limited to, solid-state memories, optical media, and magnetic media.

[132] Some portions of the detailed description have been presented in terms of algorithms and symbolic representations of operations on data bits within a computer memory. These algorithmic descriptions and representations are the ways used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. An algorithm is here, and generally, conceived to be a self- consistent sequence of operations leading to a desired result. The operations are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, combined, compared, and otherwise manipulated. It has proven convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the like.

[133] It should be borne in mind, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise as apparent from the above discussion, it is appreciated that throughout the description, discussions utilizing terms such as "identifying" or "determining" or "executing" or "performing" or "collecting" or "creating" or "sending" or the like, refer to the action and processes of a computer system, or similar electronic computing device, that manipulates and transforms data represented as physical (electronic) quantities within the computer system's registers and memories into other data similarly represented as physical quantities within the computer system memories or registers or other such information storage devices.

[134] The present disclosure also relates to an apparatus for performing the operations herein. This apparatus may be specially constructed for the intended purposes, or it may comprise a computer selectively activated or reconfigured by a computer program stored in the computer. Such a computer program may be stored in a computer-readable storage medium, such as but not limited to, any type of disk including floppy disks, optical disks, CD- ROMs, and magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, or any type of media suitable for storing electronic instructions, each coupled to a computer system bus.

[135] The operations and illustrations presented herein are not inherently related to any particular computer or other apparatus. Various types of systems may be used with programs in accordance with the teachings herein, or it may prove convenient to construct a more specialized apparatus to perform the operations. The structure for a variety of these systems will appear as set forth in the description herein. In addition, the present disclosure is not described with reference to any particular programming language. It will be appreciated that a variety of programming languages may be used to implement the teachings of the disclosure as described herein.

[136] The present disclosure may be provided as a computer program product, or software, that may include a machine-readable medium having stored thereon instructions, which may be used to program a computer system (or other electronic devices) to perform a process according to the present disclosure. A machine-readable medium includes any mechanism for storing information in a form readable by a machine (e.g., a computer). For example, a machine-readable (e.g., computer-readable) medium includes a machine (e.g., a computer) readable storage medium such as read-only memory ("ROM"), random access memory ("RAM"), magnetic disk storage media, optical storage media, flash memory devices, etc.

[137] In some embodiments, a tangible, non-transitory apparatus or article of manufacture comprising a tangible, non-transitory computer useable or readable medium having control logic (software) stored thereon may also be referred to herein as a computer program product or program storage device. This includes, but is not limited to, computer system 500, main memory 508, secondary memory 510, and removable storage units 518 and 522, as well as tangible articles of manufacture embodying any combination of the foregoing. Such control logic, when executed by one or more data processing devices (such as computer system 500), may cause such data processing devices to operate as described herein.

[138] Based on the teachings contained in this disclosure, it will be apparent to persons skilled in the relevant art(s) how to make and use embodiments of this disclosure using data processing devices, computer systems, and/or computer architectures other than that shown in Figs. 2, 3, and 4. In particular, embodiments can operate with software, hardware, and/or operating system implementations other than those described herein.

[139] It is to be appreciated that the Detailed Description section, and not any other section, is intended to be used to interpret the claims. Other sections can set forth one or more but not all exemplary embodiments as contemplated by the inventor(s), and thus, are not intended to limit this disclosure or the appended claims in any way.

[140] While this disclosure describes exemplary embodiments for exemplary fields and applications, it should be understood that the disclosure is not limited thereto. Other embodiments and modifications thereto are possible and are within the scope and spirit of this disclosure. For example, and without limiting the generality of this paragraph, embodiments are not limited to the software, hardware, firmware, and/or entities illustrated in the figures described herein. Further, embodiments (whether or not explicitly described herein) have significant utility to fields and applications beyond the examples described herein.

[141] Embodiments have been described herein with the aid of functional building blocks illustrating the implementation of specified functions and relationships thereof. The boundaries of these functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternate boundaries can be defined as long as the specified functions and relationships (or equivalents thereof) are appropriately performed. Also, alternative embodiments can perform functional blocks, steps, operations, methods, etc. using orderings different than those described herein.

[142] References herein to "one embodiment," "an embodiment," "an example embodiment," or similar phrases, indicate that the embodiment described can include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it would be within the knowledge of persons skilled in the relevant art(s) to incorporate such feature, structure, or characteristic into other embodiments whether or not explicitly mentioned or described herein. Additionally, some embodiments can be described using the expression "coupled" and "connected" along with their derivatives. These terms are not necessarily intended as synonyms for each other. For example, some embodiments can be described using the terms "connected" and/or "coupled" to indicate that two or more elements are in direct physical or electrical contact with each other. The term "coupled," however, can also mean that two or more elements are not in direct contact with each other, but yet still co-operate or interact with each other.

[143] The breadth and scope of this disclosure should not be limited by any of the abovedescribed exemplary embodiments but should be defined only in accordance with the following claims and their equivalents. In the foregoing specification, implementations of the disclosure have been described with reference to specific example implementations thereof. It will be evident that various modifications may be made thereto without departing from the broader spirit and scope of implementations of the disclosure as set forth in the following claims. The specification and drawings are, accordingly, to be regarded in an illustrative sense rather than a restrictive sense.

Claims

1. A method executing on a quantum computer tracer for detecting if a decoder device is executing a pirated copy of a decryption key acquired from a traitor, the method comprising: executing an algorithm for measuring an estimation of p_ir the algorithm comprising: an outer loop, the outer loop further comprising: initializing a predetermined number of bits n based on a broadcast encryption algorithm; initializing n qubits in a uniform superposition; initializing a classical list with one element set as 0; executing an inner loop a number of times, the number of times being based on: a decoder success probability, a number of users (#of i's) in the system, and a tracing algorithm success probability; wherein the inner loop comprises:

(a) based on the n qubits and the current /, creating a quantum state that is a superposition of ciphertexts for the broadcast encryption algorithm and querying the decoder on the created quantum state to determine if the decoder was successful, and appending a 0 or 1 to the classical list accordingly; and

(b) executing a quantum measurement operation to determine if the n qubits are in uniform superposition, and appending a 0 or 1 to the classical list accordingly; terminating the inner loop; determining the number of bit flips from a 0 to 1 or 1 to a 0 in the classical list; dividing the number of bit flips by the bit length of the classical list to derive a fraction of bit flips; repeating steps (a) and (b) until (b) outputs a 0; outputting the derived fraction of bit flips as an estimation pr, terminating the outer loop; in sequential order of decreasing i, comparing each p, by identifying a magnitude difference between two adjacent estimations; and determining if the decryption key for user / is executed by the decoder based on the magnitude of the difference being larger than a predetermined threshold.

2. A system executing on a quantum computer tracer for detecting if a decoder device is executing a pirated copy of a decryption key acquired from a traitor, the system comprising: a quantum circuit configured for: executing an algorithm for measuring an estimation of p_ir the algorithm comprising: an outer loop, the outer loop further comprising: initializing a predetermined number of bits n based on a broadcast encryption algorithm; initializing n qubits in a uniform superposition; initializing a classical list with one element set as 0; executing an inner loop a number of times, the number of times being based on: a decoder success probability, a number of users (#of i's) in the system, and a tracing algorithm success probability; wherein the inner loop comprises:

(b) executing a quantum measurement operation to determine if the n qubits are in uniform superposition, and appending a 0 or 1 to the classical list accordingly; terminating the inner loop; determining the number of bit flips from a 0 to 1 or 1 to a 0 in the classical list; dividing the number of bit flips by the bit length of the classical list to derive a fraction of bit flips; repeating steps (a) and (b) until (b) outputs a 0; outputting the derived fraction of bit flips as an estimation p , terminating the outer loop; in sequential order of decreasing i, comparing each p, by identifying a magnitude difference between two adjacent estimations; and determining if the decryption key for user / is executed by the decoder based on the magnitude of the difference being larger than a predetermined threshold.