On the Feasibility of Unclonable Encryption, and More

TL;DR

This paper investigates the feasibility of unclonable encryption, demonstrating its unconditional existence in the quantum random oracle model, providing negative results for certain schemes, and establishing copy-protection for single-bit functions.

Contribution

It proves the unconditional feasibility of unclonable encryption in the quantum random oracle model and explores limitations and related primitives.

Findings

Unclonable encryption schemes exist unconditionally in the quantum random oracle model.

A large class of encryption schemes cannot satisfy unclonable indistinguishability.

Feasibility of copy-protection for single-bit output point functions is established.

Abstract

Unclonable encryption, first introduced by Broadbent and Lord (TQC'20), is a one-time encryption scheme with the following security guarantee: any non-local adversary (A, B, C) cannot simultaneously distinguish encryptions of two equal length messages. This notion is termed as unclonable indistinguishability. Prior works focused on achieving a weaker notion of unclonable encryption, where we required that any non-local adversary (A, B, C) cannot simultaneously recover the entire message m. Seemingly innocuous, understanding the feasibility of encryption schemes satisfying unclonable indistinguishability (even for 1-bit messages) has remained elusive. We make progress towards establishing the feasibility of unclonable encryption. - We show that encryption schemes satisfying unclonable indistinguishability exist unconditionally in the quantum random oracle model. - Towards understanding the necessity of oracles, we present a negative result stipulating that a large class of encryption schemes cannot satisfy unclonable indistinguishability. - Finally, we also establish the feasibility of another closely related primitive: copy-protection for single-bit output point functions. Prior works only established the feasibility of copy-protection for multi-bit output point functions or they achieved constant security error for single-bit output point functions.