Secure Software Leasing from Standard Assumptions

TL;DR

This paper introduces secure software leasing schemes based on standard cryptographic assumptions, specifically LWE, enabling controlled software execution with quantum-resistant security and classical communication.

Contribution

It presents novel SSL schemes based on LWE for pseudorandom and evasive functions, introducing two-tier quantum lightning for security against quantum adversaries.

Findings

SSL schemes based on LWE for pseudorandom functions

SSL schemes for evasive functions with quantum security

Introduction of two-tier quantum lightning for security

Abstract

Secure software leasing (SSL) is a quantum cryptographic primitive that enables users to execute software only during the software is leased. It prevents users from executing leased software after they return the leased software to its owner. SSL can make software distribution more flexible and controllable. Although SSL is an attractive cryptographic primitive, the existing SSL scheme is based on public key quantum money, which is not instantiated with standard cryptographic assumptions so far. Moreover, the existing SSL scheme only supports a subclass of evasive functions. In this work, we present SSL schemes based on the learning with errors assumption (LWE). Specifically, our contributions consist of the following. - We construct an SSL scheme for pseudorandom functions from the LWE assumption against quantum adversaries. - We construct an SSL scheme for a subclass of evasive functions from the LWE assumption against sub-exponential quantum adversaries. - We construct SSL schemes for the functionalities above with classical communication from the LWE assumption against (sub-exponential) quantum adversaries. SSL with classical communication means that entities exchange only classical information though they run quantum computation locally. Our crucial tool is two-tier quantum lightning, which is introduced in this work and a relaxed version of quantum lighting. In two-tier quantum lightning schemes, we have a public verification algorithm called semi-verification and a private verification algorithm called full-verification. An adversary cannot generate possibly entangled two quantum states whose serial numbers are the same such that one passes the semi-verification, and the other also passes the full-verification. We show that we can construct a two-tier quantum lightning scheme from the LWE assumption.