Towards Quantum OneTime Memories
from Stateless Hardware
Abstract
A central tenet of theoretical cryptography is the study of the minimal assumptions required to implement a given cryptographic primitive. One such primitive is the onetime memory (OTM), introduced by Goldwasser, Kalai, and Rothblum [CRYPTO 2008], which is a classical functionality modeled after a noninteractive 1outof2 oblivious transfer, and which is complete for onetime classical and quantum programs. It is known that secure OTMs do not exist in the standard model in both the classical and quantum settings.
Here, we propose a scheme for using quantum information, together with the assumption of stateless (i.e., reusable) hardware tokens, to build statistically secure OTMs. Via the semidefinite programmingbased quantum games framework of Gutoski and Watrous [STOC 2007], we prove security for a malicious receiver, against a linear number of adaptive queries to the token, in the quantum universal composability framework. We prove standalone security against a malicious sender, but leave open the question of composable security against a malicious sender, as well as security against a malicious receiver making a polynomial number of adaptive queries. Compared to alternative schemes derived from the literature on quantum money, our scheme is technologically simple since it is of the “prepareandmeasure” type. We also show our scheme is “tight” according to two scenarios.
1 Introduction
The study of theoretical cryptography is centered around the question of building cryptographic primitives secure against adversarial attacks. In order to allow a broader set of such primitives to be implemented, one often considers restricting the power of the adversary. For example, one can limit the computing power of adversaries to be polynomial bounded [Yao82, BM82], restrict the storage of adversaries to be bounded or noisy [Mau92, CM97, DFSS05], or make trusted setups available to honest players [Kil88, BFM88, Can01, CLOS02, IPS08, PR08, LPV09, MPR09, MPR10, MR11, KMQ11, KMPS14], to name a few. One wellknown trusted setup is tamperproof hardware [Kat07, GKR08], which is assumed to provide a specific inputoutput functionality, and which can only be accessed in a “black box” fashion. The hardware can maintain a state (i.e., is stateful) and possibly carry out complex functionality, but presumably may be difficult or expensive to implement or manufacture. This leads to an interesting research direction: Building cryptography primitives using the simplest (and hence easiest and cheapest to manufacture) hardware.
In this respect, two distinct simplified notions of hardware have captured considerable interest. The first is the notion of a onetime memory (OTM) [GKR08], which is arguably the simplest possible notion of stateful hardware. An OTM, modeled after a noninteractive 1outof2 oblivious transfer, behaves as follows: first, a player (called the sender) embeds two values and into the OTM, and then gives the OTM to another player (called the receiver). The receiver can now read his choice of precisely one of or ; after this “use” of the OTM, however, the unread bit is lost forever. Interestingly, OTMs are complete for implementing onetime use programs (OTPs): given access to OTMs, one can implement statistically secure OTPs for any efficiently computable program in the universal composability (UC) framework [GIS10]. (OTPs, in turn, have applications in software protection and onetime proofs [GKR08].) In the quantum UC model, OTMs enable quantum onetime programs [BGS13]. (This situation is analogous to the case of oblivious transfer being complete for twoparty secure function evaluation [Kil88, IPS08].) Unfortunately, OTMs are inherently stateful, and thus represent a very strong cryptographic assumption — any physical implementation of such a device must somehow maintain internal knowledge between activations, i.e., it must completely “selfdestruct” after a single use.
This brings us to a second important simplified notion of hardware known as a stateless token [CGS08], which keeps no record of previous interactions. On the positive side, such hardware is presumably easier to implement. On the negative side, an adversary can run an experiment with stateless hardware as many times as desired, and each time the hardware is essentially “reset”. (Despite this, stateless hardware has been useful in achieving computationally secure multiparty computation [CGS08, GIS10, CKS14], and statistically secure commitments [DS13].) It thus seems impossible for stateless tokens to be helpful in implementing any sort of “selfdestruct” mechanism. Indeed, classically stateful tokens are trivially more powerful than stateless ones, as observed in, e.g., [GIS10]. This raises the question:
Can quantum information, together with a classical stateless token, be used to simulate “self destruction” of a hardware token?
In particular, a natural question along these lines is whether quantum information can help implement an OTM. Unfortunately, it is known that quantum information alone cannot implement an OTM (or, more generally, any onetime program) [BGS13]; see also Section 4 below. We thus ask the question: What are the minimal cryptographic assumptions required in a quantum world to implement an OTM?
Contributions and summary of techniques.
Our main contribution is to propose a prepareandmeasure quantum protocol that constructs OTMs from stateless hardware tokens. We provide a proof which establishes information theoretic security against an adversary making a linear (in , the security parameter) number of adaptive queries to the token. Even in this setting of linear queries, this result is in sharp contrast to the classical case, in which such a construction is trivially impossible. We also show standalone security against a malicious sender.
Historical Note. A preliminary version of this work [BGZ15] claimed security against a polynomial number of token queries. This was claimed via a reduction from the interactive to the noninteractive setting. We thank an anonymous referee for catching a subtle, but important bug in that proof attempt. For clarity, our current proof against a linear number of queries uses a different approach. Since our original paper was posted, recent related work [CGLZ18] has shown a quantum transformation from stateful to stateless tokens, directly using constructions and proofs from the literature on quantum money [BDS18]. As far as we are aware, this family of schemes requires highly entangled states that do not satisfy the requirements of a prepareandmeasure scheme. This recent work also raises a concern about our security model involving an honest sender; this concern is addressed in Section 3.2 where we show standalone security against a malicious sender.
Construction. Our construction is inspired by Wiesner’s idea for conjugate coding [Wie83]: the quantum portion of the protocols consists in quantum states chosen uniformly at random from (note this encoding is independent of the classical bits of the OTM functionality). We then couple this qubit quantum state, (sometimes called the quantum key) with a classical stateless hardware token, which takes as inputs a choice bit , together with an bit string . If , the hardware token verifies that the bits of that correspond to rectilinear ( or , i.e., basis) encoded qubits of are consistent with the measurement of in the computational basis, in which case the bit is returned. If , the hardware token verifies that the bits of that correspond to diagonal ( or , i.e., basis) encoded qubits of are consistent with the measurement of in the diagonal basis, in which case the bit is returned.
Assumption. Crucially, the hardware token is specified to accept classical input only^{1}^{1}1This can be simulated on quantum inputs by having the token immediately measure its input in the standard basis. (i.e., it cannot be queried in superposition). Although this may seem a strong assumption, in Section 4.1 we show that any token which can be queried in superposition in a reversible way, cannot be used to construct a secure OTM (with respect to our setting in which the adversary is allowed to apply arbitrary quantum operations). Similar classicalinput hardware has previously been considered in, e.g., [Unr13, BGS13].
Security and intuition. Standalone security against a malicious sender is relatively straightforward to establish, since the protocol consists in a single message from the sender to the receiver, and since standalone security only requires simulation of the local view of the adversary.
The intuition underlying security against a malicious receiver is clear: in order for a receiver to extract a bit as encoded in the OTM, she must perform a complete measurement of the qubits of in order to obtain a classical key for (since, otherwise, she would likely fail the test as imposed by the hardware token). But such a measurement would invalidate the receiver’s chance of extracting the bit ! This is exactly the “selfdestruct”like property we require in order to implement an OTM. This intuitive notion of security was already present in Wiesner’s proposal for quantum money^{2}^{2}2Intuitively, quantum money aims to construct a physical currency which is impossible to counterfeit by the laws of quantum mechanics. [Wie83], and is often given a physical explanation in terms of the nocloning theorem [WZ82], or the Heisenberg uncertainty relation [Hei27].
Formally, we work in the statistical (i.e., informationtheoretic) setting of the quantum Universal Composability (UC) framework [Unr10], which allows us to make strong security statements that address the composability of our protocol within others. As a proof technique, we describe a simulator, such that for any “quantum environment” wishing to interact with the OTM, the environment statistically cannot tell whether it is interacting with the ideal OTM functionality or the real OTM instance provided by our scheme. The security of this simulator requires a statement of the following form: Given access to a (randomly chosen) “quantum key” and corresponding stateless token , it is highly unlikely for an adversary to successfully extract keys for both the secret bits and held by . We are able to show this statement for any adversary which makes a linear number of queries, by which we mean an adversary making queries succeeds with probability at most (for the number of quantum key bits in ). In other words, if the adversary makes at most queries with , then its probability of cheating successfully is exponentially small in . To show this statement, we exploit the semidefinite programmingbased quantum games framework of Gutoski and Watrous [GW07] to model interaction with the token. We describe this technique in Section 3.4 and provide the full details in the Appendix C.
Summarizing, we show the following.
’s Main Theorem (informal).
There exists a protocol , which together with a classical stateless token and the ability to randomly prepare single qubits in one of four pure states, implements the OTM functionality with statistical security in the UC framework against a corrupted receiver making a linear number of adaptive queries.
We leave open the question of security against a polynomial number of adaptive queries.
Further Related work. Our work contributes to the growing list of functionalities achievable with quantum information, yet unachievable classically. This includes: unconditionally secure key expansion [BB84], physically uncloneable money [Wie83, MVW13, PYJ12], a reduction from oblivious transfer to bit commitment [BBCS92, DFL09] and to other primitives such as “cutand choose” functionality [FKS13], and revocable timerelease quantum encryption [Unr14]. Importantly, these protocols all make use of the technique of conjugate coding [Wie83], which is also an important technique used in protocols for OT in the bounded quantum storage and noisy quantum storage models [DFSS05, WST08] (see [BS16] for a survey).
A number of proof techniques have been developed in the context of conjugate coding, including entropic uncertainty relations [WW10]. In the context of QKD, another successful technique is the use of de Finetti reductions [Ren08] (which exploit the symmetry of the scheme in order to simplify the analysis). Recently, semidefinite programming approaches have been applied to analyze security of conjugate coding [MVW13]. This is the type of approach we adopt for our proof (Section 3.4 and Appendix C), though here we work with the more general quantum games framework of Gutoski and Watrous [GW07]. Reference [PYJ12] has also made use of Gavinsky’s [Gav12] quantum retrieval games framework.
Continuing with proof techniques, somewhat similar to [PYJ12], Aaronson and Christiano [AC12] have studied quantum money schemes in which one interacts with a verifier. They introduce an “inner product adversary method” to lower bound the number of queries required to break their scheme.
We remark that [PYJ12] and [MVW13] have studied schemes based on conjugate coding similar to ours, but in the context of quantum money. In contrast to our setting, the schemes of [PYJ12] and [MVW13] (for example) involve dynamically chosen random challenges from a verifier to the holder of a “quantum banknote”, whereas in our work here the “challenges” are fixed (i.e., measure all qubits in the or basis to obtain secret bit or , respectively), and the verifier is replaced by a stateless token.
Also, we note that prior work has achieved oblivious transfer using quantum information, together with some assumption (e.g., bit commitment [BBCS92] or bounded quantum storage [DFSS05]). These protocols typically use an interaction phase similar to the “commitandopen” protocol of [BBCS92]; because we are working in the noninteractive setting, these techniques appear to be inapplicable.
Finally, Liu [Liu14a, Liu14b, Liu15] has given standalone secure OTMs using quantum information. In contrast to our setting, in which we allow unbounded and unrestricted quantum adversaries, Liu’s results are set in the isolatedqubit model, which assumes that an adversary can perform only singlequbit operations (no entangling gates are permitted). However, in exchange for restricting the adversary, Liu is able to avoid the use of trusted setups. The security notion of OTMs by Liu is weaker than the simulationbased notion that is studied in this paper, and it is unclear whether this type of OTM is composable.
Significance. Our results show a strong separation between the classical and quantum settings, since classically, stateless tokens cannot be used to securely implement OTMs. To the best of our knowledge, our work is the first to combine conjugate coding with stateless hardware tokens. Moreover, while our protocol shares similarities with prior work in the setting of quantum money, building OTMs appears to be a new focus here ^{3}^{3}3We remark, however, that a reminiscent concept of single usage of quantum “tickets” in the context of quantum money is very briefly mentioned in Appendix S.4.1 of [PYJ12]..
Our protocol has a simple implementation, fitting into the singlequbit prepareandmeasure paradigm (one needs only the ability to prepares states ). In addition, from a theoretical cryptographic perspective, our protocol is attractive in that its implementation requires an assumption of a stateless hardware token, which is conceivably easier and cheaper to mass produce than a stateful token.
In terms of security guarantees, we allow arbitrary operations on behalf of a malicious quantum receiver in our protocol (i.e., all operations allowed by quantum mechanics), with the adversary restricted in that the stateless token is assumed only usable as a black box. The security we obtain is statistical, with the only computational assumption being on the number of queries made to the token. Finally, our proofs are rigorous statements in the quantum UC framework, meaning our protocol can be easily composed with others proved secure in this framework (e.g., combining our results with [BGS13]’s protocol immediately yields UCsecure quantum OTPs against a dishonest receiver).
We close by remarking that our scheme is “tight” with respect to two impossibility results, both of which assume the adversary has blackbox access to both the token and its inverse operation ^{4}^{4}4This is common in quantum computation, where a function is typically implemented via a unitary acting on qubits, and satisfying . By definition, is selfinverse; thus, a user with access to trivially also has access to its inverse .. First, the assumption that the token be queried only in the computational basis cannot be relaxed: Section 4.1 shows that if the token can be queried in superposition, then an adversary in our setting can easily break any OTM scheme. Second, our scheme has the property that corresponding to each secret bit held by the token, there are exponentially many valid keys one can input to the token to extract . In Section 4.2, we show that for any “measureandaccess” OTM (i.e., an OTM in which one measures a given quantum key and uses the classical measurement result to access a token to extract data, of which our protocol is an example), a polynomial number of keys implies the ability to break the scheme with inverse polynomial probability (more generally, keys allows probability at least of breaking the scheme).
Open Questions. While our work shows the fundamental advantage quantum information yields in a stateful to stateless reduction, it does leave a number of open questions:

Security against polynomially many queries. Can our security proof be strengthened to show information theoretic security against a polynomial number of queries to the token? We conjecture this to be the case, but finding a formal proof has been elusive.

Composable security against a malicious sender. While we show composable security against a malicious receiver, our protocol can achieve standalone security against a malicious sender. Could an adaptation of our protocol ensure composable security against a malicious sender as well?

Nonreversible token. Our impossibility result for quantum onetime memories with quantum queries (Section 4) assumes the adversary has access to reversible tokens; can a similar impossibility result be shown for nonreversible tokens?

Imperfect devices. While our prepareandmeasure scheme is technologically simple, it is still virtually unrealizable with current technology, due to the requirement of perfect quantum measurements. We leave open the question of tolerance to a small amount of noise.
Acknowledgements. We thank anonymous referees for pointing out that the impossibility result against quantum queries applies only if we model the token as a reversible process, as well as for finding an error in a prior version of this work, which erroneously claimed a reduction from the adaptive to nonadaptive case. We thank Jamie Sikora for related discussions. This material is based upon work supported by the U.S. Air Force Office of Scientific Research under award number FA95501710083, Canadaâs NSERC, an Ontario ERA, and the University of Ottawaâs Research Chairs program.
Organization of the paper. The remainder of the paper is organized as follows. We begin in Section 2 with preliminaries, including the ideal functionalities for an OTM and stateless token. In Section 3, we give our construction for an OTM based on a stateless hardware token; the proof ideas for security are also provided. In Section 4, we discuss “tightness” of our construction by showing two impossibility results for “relaxations” of our scheme. In the Appendix, we include the description of classical UC and quantum UC (Appendix A); Appendix B establishes notation required in the definition of standalone security against a malicious sender. Appendix C gives our formal security proof against a linear number of queries to the token; these results are used to finish the security proof in Section 3.) In addition, the security proof for a lemma in Section 4 can be found in Appendix D.
2 Preliminaries
Notation. We say two binary distributions and are indistinguishable, denoted , if it holds that We define singlequbit and , so that form the rectilinear basis. We also define and , so that form the diagonal basis. For strings and , we define . Finally, denotes the standard Hadamard gate in quantum information.
Quantum universal composition (UC) framework. We consider simulationbased security in this paper. In particular, we prove the security of our construction against a malicious receiver in the quantum universal composition (UC) framework [Unr10]. Please see Appendix A for a brief description of the classical UC [Can01] and the quantum UC [Unr10]. In the next two paragraphs, we introduce two relevant ideal functionalities of onetime memory and of stateless hardware token.
Onetime memory (OTM). The onetime memory (OTM) functionality involves two parties, the sender and the receiver, and consists of two phases, “Create” and “Execute”. Please see Functionality 1 below for details; for the sake of simplicity, we have omitted the session/party identifiers as they should be implicitly clear from the context. We sometimes refer to this functionality as an OTM token.
Stateless hardware. The original work of Katz [Kat07] introduces the ideal functionality to model stateful tokens in the UCframework. In the ideal model, a party that wants to create a token, sends the Turing machine to . will then run the machine (keeping the state), when the designated party will ask for it. The same functionality can be adapted to model stateless tokens. It is sufficient that the functionality does not keep the state between two executions. A simplified version of the functionality as shown in [CGS08] (that is very similar to the of [Kat07]) is described below. Note that, again for the sake of simplicity, we have omitted the session/party identifiers as they should be implicitly clear from the context.
Although the environment and adversary are unbounded, we specify that stateless hardware can be queried only a polynomial number of times. This is necessary, since otherwise the hardware token model is vacuous (with unbounded queries, the entire inputoutput behavior of stateless hardware can be deduced, hence there is nothing left to hide).
3 Feasibility of Quantum OTMs using Stateless Hardware
In this section, we present a quantum construction for onetime memories by using stateless hardware (Section 3.1). We also state our main theorem (Theorem 3.3). In Section 3.3, we describe the Simulator and prove Theorem 3.3 using the technical results of Appendix C. The intuition and techniques behind the proofs in Appendix C are sketched in Section 3.4.
3.1 Construction
We now present the OTM protocol in the hybrid model, between a sender and a receiver . Here the security parameter is .

Upon receiving input from the environment where , sender operates as follows:

The sender chooses uniformly random strings and , and prepares . Then the sender, based on tuple , prepares the program as in Program 1.

The sender sends to the receiver.

The sender sends to functionality , and the functionality sends to notify the receiver.


The receiver operates as follows:
Upon input from the environment, and from the receiver, and notification from ,
If , measure in the computational basis to get string and input into .

If , apply to , then measure in the computational basis to get string and input into .
Return the output of to the environment.
It is easy to see that the output of is for both and . 
Note again that the hardware token, as defined in Program 1, accepts only classical input (i.e., it cannot be queried in superposition). As mentioned earlier, relaxing this assumption yields impossibility of a secure OTM implementation (assuming the receiver also has access to the token’s inverse operation), as shown in Section 4.
3.2 StandAlone Security Against a Malicious Sender
We note that in protocol of Section 3.1, once the sender prepares and sends the token, she is no longer involved (and in particular, the sender does not receive any further communication from the receiver). We call such a protocol a oneway protocol. Because of this simple structure, and because the ideal functionality also does not return any message to the sender, we can easily establish standalone security against a malicious sender (see Theorem 3.2). Note that this rules out a trivial construction that is pointed out in [CGLZ18].
In order to define standalone security against a malicious sender (Definition 3.1), in our context, we closely follow definitions given in prior work [DNS10]. Please see Appendix B for details. Note that, instead of considering the approximate case for security, we are able to use the exact one.
Definition 3.1.
An step quantum twoparty protocol with oracle calls, is statistically standalone secure against a corrupt if for every adversary there exists a simulator such that for every input ,
(1) 
We note that Definition 3.1 is weaker than some other definitions for active security used in the literature, e.g., [DNS12], because we ask only that the local view of the adversary be simulated.
Given the simple structure of our protocol and ideal functionality, the construction and proof of the simulator is straightforward as shown below.
Theorem 3.2.
Protocol is statistically standalone secure against a corrupt sender.
Proof.
Since consists in a single message from the sender to the receiver (together with a call to the ideal functionality for the token), we have that . Furthermore, since the ideal functionality does not return anything to the sender, there is no need for our simulator to call an ideal functionality.
We thus build that runs on the input in register . When calls the ideal functionality, the simulator does nothing. Since is a oneway protocol, and since the ideal functionality also does not allow communication from the receiver to the sender,
(2) 
This concludes the proof. ∎
3.3 UCSecurity against a corrupt receiver
Our main theorem, which establishes security against a corrupt receiver is now stated as follows.
Theorem 3.3.
Construction above quantumUCrealizes in the hybrid model with statistical security against an activelycorrupted receiver making at most number of adaptive queries to the token, for any fixed constant .
To prove Theorem 3.3, we must construct and analyze an appropriate simulator, which we now proceed to do.
3.3.1 The simulator
In order to prove Theorem 3.3, for an adversary that corrupts the receiver, we need to build a simulator (having access to the OTM functionality ), such that for any unbounded environment , the executions in the real model and that in simulation are statistically indistinguishable. Our simulator is given below:

The simulator emulates an internal copy of the adversary who corrupts the receiver. The simulator emulates the communication between and the external environment by forwarding the communication messages between and .

The simulator needs to emulate the whole view for the adversary . First, the simulator picks dummy inputs and , and randomly chooses , and , and generates program . Then the simulator plays the role of the sender to send to the adversary (who controls the corrupted receiver). The simulator also emulates to notify by sending to indicate that the hardware is ready for queries.

For each query to from the adversary , the simulator evaluates program (that is created based on ) as in the construction, and then acts as follows:

If this is a rejecting input, output .

If this is the first accepting input, call the external with input , and learn the output from . Output .

If this is a subsequent accepting input, output (as above).

3.3.2 Analysis
We now show that the simulation and the real model execution are statistically indistinguishable. There are two cases in an execution of the simulation which we must consider:

Case 1: In all its queries to , the accepting inputs of have the same choice bit . In this case, the simulation is perfectly indistinguishable.

Case 2: In its queries to , produces accepting inputs for both and . In this case, it is possible that the simulation fails (the environment can distinguish the real model from the ideal model), since the simulator is only able to retrieve a single bit from the external OTM functionality (either corresponding to or ).
Thus, whereas in Case 1 the simulator behaves perfectly, in Case 2 it is in trouble. Fortunately, in Theorem 3.4 we show that the probability that Case 2 occurs is exponentially small in , the number of qubits comprising , provided the number of queries to the token scales as for a sufficiently small fixed constant . Specifically, we show that for an arbitrary query strategy (i.e., any quantum strategy allowed by quantum mechanics, whether efficiently implementable or not, which queries the token at most times), the probability of Case occurring is at most . (The constant above thus needs to be chosen as .) This concludes the proof.
3.4 Security analysis for the token: Intuition
Our simulation proof showing statistical security of our Quantum OTM construction of Section 3.1 relies crucially on Theorem 3.4, stated below. As the proof of this theorem uses quantum information theoretic and semidefinite programming techniques (as opposed to cryptographic techniques), let us introduce notation in line with the formal analysis of Appendix C.
With respect to the construction of Section 3.1, let us replace each twotuple by a single string , which we denote the secret key. Bits and of specify the basis and value of conjugate coding qubit for (i.e., and ). Also, rename the “quantum key” (or conjugate coding key) . Thus, the protocol begins by having the sender pick a secret key uniformly at random, and preparing a joint state
The first register, , is sent to the receiver, while the second register, , is kept by the token. (Thus, the token knows the secret key , and hence also which the receiver possesses.) The mixed state describing the receiver’s state of knowledge at this point is given by
We can now state Theorem 3.4.
Theorem 3.4.
Given a single copy of , and the ability to make (adaptive) queries to the hardware token, the probability that an unbounded quantum adversary can force the token to output both bits and scales as .
Thus, the probability of an unbounded adversary (i.e., with the ability to apply the most general maps allowed in quantum mechanics, tracepreserving completely positive (TPCP) maps, which are not necessarily efficiently implementable) to successfully cheat using for queries is exponentially small in the quantum key size, .
The full proof of Theorem 3.4 is given in Appendix C. Let us now give the intuition behind the proof approach.
Proof intuition.
The challenge in analyzing security is the additional resource the receiver (henceforth called the user) is given, the state , which the user may arbitrarily tamper with (in any manner allowed by quantum mechanics) while making queries to the token.
To prove Theorem 3.4, we model an adversary’s actions as a twoparty interaction between the user and token via the GutoskiWatrous (GW) theory of quantum games [GW07]. At a high level, the GW framework can be used to model our setting via Figure 3.4 (reproduced from Appendix C for completeness), which we now discuss. The bottom “row” of Figure 3.4 depicts the token’s actions, and the top row the user’s actions. The protocol begins by imagining the token sends initial state to the user via register . The user then applies an arbitrary sequence of TPCP maps to its private memory (modeled by register in round ), each time sending a query to the token via register . Given any such query in round , the token applies its own TPCP map to determine how to respond to the query. The action of is fully determined by Program 1, and in principle all are identical since the token is stateless (i.e., the action of the token in round is unaffected by previous rounds ). (We use the term “in principle” for the following reason. In practice, the token indeed has all being identical. To model our security analysis in the GW framework, which allows quantum interaction, it is convenient to imagine the token keeps a history of all queries it has seen thus far, which will technically make the distinct. What the history allows the token to do is simulate a measurement in the standard basis of any query the user sends; thus, the user can even send a quantum (i.e., superposition) query, which the token immediately measures in the standard basis to recover a classical query string. In other words, we can simulate forcing the user to make classical queries in the GW framework by exploiting the wellknown principle of deferred measurement. Crucially, in our security analysis, the token does not condition any of its future actions on this query history it maintains; this ensures the token is stateless in its behavior. See Appendix C for details.) Finally, after receiving the th query in register , we imagine the token makes a measurement (not depicted in Figure 3.4) based on the query responses it returned; if the user managed to extract both bits and via queries, then the token “accepts”, and otherwise it “rejects”. (Again, here we are assuming the token keeps a history of all its responses in our security analysis; this is used only for the final measurement to judge whether the user cheated successfully, and not in the determination of any other action the token takes.)
With this highlevel setup in place, the output of the GW framework is a semidefinite program, which we denote :
min:  (3)  
subject to:  (4)  
(5)  
(6)  
(7)  
(8)  
(9) 
Above, encodes the actions of the token. The variable denotes the “cheating probability” (i.e., the probability with which both and are extracted), subject to the constraint that operator encodes a valid “strategy” for the user of the token. The constraints which enforce a valid “strategy” are given by Equations (5)(9). These force the tuple to encode a ChoiJamiołkowski representation of a quantum strategy [GW07]. Let us briefly discuss the ChoiJamiołkowski representation (details in Appendix C) and outline why such a framework might output an SDP. Recall that in round of the protocol, the user applies TPCP map . Any TPCP map has a number of known representations, one of which is the ChoiJamiołkowski representation [Cho75, Jam72]. An advantage of the latter is it allows a simple characterization of the tracepreserving and completely positive properties of via linear and semidefinite constraints, respectively. Reference [GW07] extends this definition of the ChoiJamiołkowski representation from a single TPCP map to an interactive protocol with multiple such maps ; thus, intuitively one might expect such interactive strategies to also be characterized by linear and positive semidefinite constraints (i.e. by an SDP such as ).
Intuition for and an upper bound on .
It remains to give intuition as to how one derives in , and how an upper bound on the optimal is obtained. Without loss of generality, one may assume that each of the token’s TPCP maps are given by isometries , meaning (due to the Stinespring dilation theorem). (We omit the first isometry which prepares state in our discussion here for simplicity.) Let us denote their sequential application by a single operator (note: to make the product welldefined, in Equation (16) of Appendix C, one uses tensor products with identity matrices appropriately). Then, the ChoiJamiołkowski representation of is given by [GW07]
where we trace out the token’s private memory register . (The operator reshapes matrix into a vector; its precise definition is given in Section C, and is not required for our discussion here.) However, since in our security analysis, we imagine the token also makes a final measurement via some POVM , whereupon obtaining outcome the token “accepts”, and upon outcome the token rejects, we require a slightly more complicated setup — will actually be defined as [GW07]
for .
The full derivation of in our setting takes a few steps, and is given in Appendix C. Here, let us simply state and give intuition:
Intuitively, each string encodes the response of the token given the th query from the user; hence, the corresponding projectors in act on spaces through . Each string denotes the th query sent from the user to the token, where each in the notation of Program 1, i.e. is the choice bit for each query. Each such message is passed via register . The states and strings are defined as in the beginning of Section 3.4; recall and denote the secret key and corresponding quantum key, respectively. Finally, the relation encodes the constraint that for all , the tuple (i.e. each message to the token and secret key ) is consistent with the response returned by the token, .
Upper bounding . To now upper bound , our approach is to give a feasible solution satisfying the constraints of . Note that giving even a solution which attains for all and is nontrivial — such a solution is given in Lemma C.2 of Appendix C.3. Here, we shall give a solution which attains , as claimed in Theorem 3.4 (and formally proven in Theorem C.3 of Appendix C.3). Namely, we set
This satisfies constraint (5) of due to the identity term . The renormalization factor of above ensures that tracing out all registers yields in constraint (7) of . We are thus reduced to choosing the minimum such that constraint is satisfied. Note that setting will not work for large enough for this choice of . To see why, observe we have chosen to align with the blockdiagonal structure of on registers . Since registers and of are proportional to the identity matrix, it thus suffices to characterize the largest eigenvalue of , . This is done by Lemma C.4 of Appendix C.3, which says
Combining this bound on with the parameters of above now yields the desired claim that . We conclude that for , the probability that a user of the token successfully cheats and thus that the simulation fails is exponentially small in the key size, .
4 Impossibility Results
We now discuss “tightness” of our protocol with respect to impossibility results. To begin, it is easy to argue that OTMs cannot exist in the plain model (i.e., without additional assumptions) in both the classical and quantum settings: in the classical setting, impossibility holds, since software can always be copied. Quantumly, this follows by a simple rewinding argument [BGS13]. Here, we give two simple nogo results for the quantum setting which support the idea that our scheme is “tight” in terms of the minimality of the assumptions it uses. Both results assume the token is reversible, meaning the receiver can run both the token and its inverse operation. The results can be stated as:
4.1 Impossibility: Tokens which can be queried in superposition
In our construction, we require that all queries to the token be classical strings, i.e., no querying in superposition is allowed. It is easy to argue via a standard rewinding argument that relaxing this requirement yields impossibility of a secure OTM, as long as access to the token’s adjoint (inverse) operation is given, as we now show. Specifically, let be a quantum OTM implemented using a hardware token. Since the token access is assumed to be reversible, we may model it as an oracle realizing a function in the standard way, i.e., for all and ,
(10) 
Now, suppose our OTM stores two secret bits and , and provides the receiver with an initial state , where , , and are the algorithm’s workspace, query (i.e., input to ), and answer (i.e., ’s answers) registers, respectively. By definition, an honest receiver must be able to access precisely one of or with certainty, given . Thus, for any , there exists a quantum query algorithm for unitaries such that . For any choice of , however, this implies a malicious receiver can now classically copy to an external register, and then “rewind” by applying to to recover . Applying for to now yields the second bit with certainty as well. We conclude that a quantum OTM which allows superposition queries to a reversible stateless token is insecure.
Remark 4.1.
Above, we assumed the OTM outputs with certainty. The argument can be generalized to the setting in which the OTM outputs with probability at least for small ; in this case, Winter’s Gentle Measurement Lemma [Win99] can be used to show that both bits can again be recovered with nonnegligible probability.
Remark 4.2.
Our argument crucially relies on the fact that the receiver has superposition access to the operation. In certain models (e.g., software), such access is unavoidable. However, our result does not rule out the possibility that nonreversible superposition access to a token would allow for quantum OTMs.
4.2 Impossibility: Tokens with a bounded number of keys
We have observed that allowing superposition queries to the token prevents an OTM from being secure. One might next ask how simple a hardware token with classical queries can be, while still allowing a secure OTM. We now explore one such strengthening of our construction in which the token is forced to have a bounded number of keys.
To formalize this, let us define the notion of a “measureandaccess (MA)” OTM, i.e., an OTM in which given an initial state , an honest receiver applies a prescribed measurement to , and feeds the resulting classical string (i.e., key) into the token to obtain . Our construction is an example of a MA memory in which each bit has an exponential number of valid keys such that . One might ask whether the construction can be strengthened such that each has a bounded number (e.g., a polynomial number) of keys. We now show that such a strengthening would preclude security, assuming the token is reversible.
For clarity, implicitly in our proof below, we model the oracle as having three possible outputs: , , or , where is output whenever is fed an invalid key . This is required for the notion of having “few” keys to make sense (i.e., there are candidate keys, and only two secret bits, each of which is supposed to have a bounded number of keys). Note that our construction indeed fits into this framework.
Lemma 4.3.
Let be an MA memory with oracle , such that cannot be queried in superposition. If a secret bit has at most keys such that , then given a single copy of , one can extract both and from with probability at least .
Remark 4.4.
The proof is given in Appendix D. Lemma 4.3 shows that in the paradigm of measureandaccess memories, our construction is essentially tight — in order to bound the adversary’s success probability of obtaining both secret bits by an inverse exponential, we require each secret bit to have exponentially many valid keys. Second, as in the setting of superposition queries, the above proof can be generalized to the setting in which the OTM returns the correct bit with probability at least for small . Finally, the question of whether a similar statement to Lemma 4.3 holds for a nonreversible token remains open.
Appendix A Universal Composition (UC) Framework
We consider simulationbased security. The Universal Composability (UC) framework was proposed by Canetti [Can01, Can00b], culminating a long sequence of simulationbased security definitions (c.f. [GMW87, GL91, MR92, Bea91, Can00a]); please see also [PW01, PS04, CDPW07, LPV09, MR11] for alternative/extended frameworks. Recently Unruh [Unr10] extend the UC framework to the quantum setting. Next, we provide a highlevel description of the original classical UC model by Canetti [Can01, Can00b], and then the quantum UC model by Unruh [Unr10].
a.1 Classical UC Model ([Can01, Can00b])
Machines.
The basic entities involved in the UC model are players where is polynomial of security parameter , an adversary , and an environment . Each entity is modeled as a interactive Turing machine (ITM), where could have an additional nonuniform string as advice. Each has identity assigned to it, while and have special identities and .
Protocol Execution.
A protocol specifies the programs for each , which we denote as . The execution of a protocol is coordinated by the environment . It starts by preparing inputs to all players, who then run their respective programs on the inputs and exchange messages of the form . can corrupt an arbitrary set of players and control them later on. In particular, can instruct a corrupted player sending messages to another player and also read messages that are sent to the corrupted players. During the course of execution, the environment also interacts with in an arbitrary way. In the end, receives outputs from all the other players and generates one bit output. We use denote the distribution of the environment ’s (singlebit) output when executing protocol with and the ’s.
Ideal Functionality and Dummy Protocol.
Ideal functionality is a trusted party, modeled by an ITM again, that perfectly implements the desired multiparty computational task. We consider an “dummy protocol”, denoted , where each party has direct communication with , who accomplishes the desired task according to the messages received from the players. The execution of with environment and an adversary, usually called the simulator , is defined analogous as above, in particular, monitors the communication between corrupted parties and the ideal functionality . Similarly, we denote ’s output distribution as .
Definition A.1 (Classical UCsecure Emulation).
We say (classically) UCemulates if for any adversary , there exists a simulator such that for all environments ,
(11) 
We here consider that and are computationally unbounded, and we call it statistical UCsecurity. We require the running time is polynomial in that of . We call this property Polynomial Simulation.
Let be a wellformed two party functionality. We say (classically) UCrealizes if for all adversary , there exists a simulator such that for all environments , . We also write if the context is clear.
UCsecure protocols admit a general composition property, demonstrated in the following universal composition theorem.
Theorem A.2 (UC Composition Theorem [Can00b]).
Let and be party protocols. Assume that UCemulates . Then UCemulates .
a.2 Quantum UC Model ([Unr10])
Now, we give a highlevel description of quantum UC model by Unruh [Unr10].
Quantum Machine.
In the quantum UC model, all players are modeled as quantum machines. A quantum machine is a sequence of quantum circuits , for each security parameter . is a completely positive trace preserving operator on space , where represents the internal workspace of and and represent the spaces for communication, where for convenience we divide the messages into classical and quantum parts. We allow a nonuniform quantum advice^{5}^{5}5Unruh’s model only allows classical advice, but we tend to take the most general model. It is easy to justify that almost all results remain unchanged, including the composition theorem. See [HSS11, Section 5] for more discussion. to the machine of the environment , while all other machines are uniformly generated.
Protocol Execution.
In contrast to the communication policy in classical UC model, we consider a network which contains the space . Namely, each machine maintains individual internal state space, but the communication space is shared among all . We assume contains the message which specifies the sender and receiver of the current message, and the receiver then processes the quantum state on . Note that this communication model implicitly ensures authentication. In a protocol execution, is activated first, and at each round, one player applies the operation defined by its machine on . In the end generates a onebit output. Denote the output distribution of .
Ideal Functionality.
All functionalities we consider in this work are classical, i.e., the inputs and outputs are classical, and its program can be implemented by an efficient classical Turing machine. Here in the quantum UC model, the ideal functionality is still modeled as a quantum machine for consistency, but it only applies classical operations. Namely, it measures any input message in the computational basis to get an classical bitstring, and implements the operations specified by the classical computational task.
We consider an “dummy protocol”, denoted , where each party has direct communication with , who accomplishes the desired task according to the messages received from the players. The execution of with environment and an adversary, usually called the simulator , is defined analogous as above, in particular, monitors the communication between corrupted parties and the ideal functionality . Similarly, we denote ’s output distribution as . For simplicity, we also write it as .
Definition A.3 (Quantum UCsecure Emulation).
We say quantumUCemulates if for any quantum adversary , there exists a (quantum) simulator such that for all quantum environments ,
(12) 
We consider here that and are computationally unbounded, we call it (quantum) statistical UCsecurity. We require the running time is polynomial in that of . We call this property Polynomial Simulation.
Similarly, (quantum) computational UCsecurity can be defined. Let be a wellformed two party functionality. We say quantumUCrealizes if for all quantum adversary , there exists a (quantum) simulator such that for all quantum environments , .
Quantum UCsecure protocols also admit general composition:
Theorem A.4 (Quantum UC Composition Theorem [Unr10, Theorem 11]).
Let and be quantumpolynomialtime protocols. Assume that quantum UCemulates . Then quantum UCemulates .
Remark A.5.
Out of the two protocol parties (the sender and the receiver), we consider security only in the case of the receiver being a corrupted party. Note that we are only interested in cases where the same party is corrupted with respect to all composed protocol. Furthermore, we only consider static corruption.
Appendix B StandAlone Security in the case of a Malicious Sender
Here, we recall notation that is used in the analysis of twoparty quantum protocol [DNS10].
Definition B.1.
An step quantum twoparty protocol with oracle calls, denoted consists of:

input space and for parties and respectively.

memory spaces and for and , respectively.

An tuple of quantum operations for , .

An tuple of quantum operations for , .

Memory spaces and can be written as and , and is an tuple of quantum operations: , .
If is an turn twoparty protocol, then the final state of the interaction upon input where is a system of dimension , is:
(13) 
As in [DNS10], we specify that an oracle can be a communication oracle or an ideal functionality oracle.
An adversary for an honest party in is an tuple of quantum operations matching the input and outputs spaces of . A simulator for is a sequence of quantum operations where has the same inputoutput spaces as the maps of at step . In addition, has access to the ideal functionality for the protocol .
Appendix C Security Analysis for the Token
We now provide the technical result (Theorem 3.4) that is used to prove security of our Quantum OTM construction of Section 3.1 against a linear number of queries. The statement below is informal; to make it formal, in Section C.3 we model the user’s interaction with the token via the GutoskiWatrous framework for quantum games [GW07]. The resulting formal statement we desire, which immediately yields the informal claim below, is given in Theorem C.3.
Theorem C.1 (Informal).
For any stateless hardware token implemented as in Program 1, i.e., using an qubit conjugate coding state , and for any user of the token (restricted only by the laws of quantum mechanics, meaning using any tracepreserving completely positive maps desired, regardless of efficiency of their implementation) making queries to the token, the probability the user successfully queries the token to extract both secret bits and is at most .
Thus, we are able to prove that if the user makes at most queries with , then the user’s probability of cheating successfully is exponentially small in .
The next sections show this claim, and are organized as follows. Sections C.1 and C.2 introduce notation, terminology, semidefinite programming, and the GutoskiWatrous quantum games framework. Section C.3 shows the formal version of the claim above, namely Theorem C.3.
c.1 Notation, quantum channels, and semidefinite programming
Notation.
Let be a finite dimensional complex Hilbert space. Then, , , , and denote the sets of linear, Hermitian, positive semidefinite, and density operators acting on , respectively. The notation means is positive semidefinite.
Quantum channels.
A linear map is a quantum channel if is tracepreserving and completely positive (TPCP). These are the channels which map density operators to density operators. Although we will not directly make use of it here (the GutoskiWatrous framework in Section C.2 will use the concept indirectly in our presentation), a useful representation of linear maps (or “superoperators”) is the ChoiJamiołkowski representation, . The latter is defined (with respect to some choice of orthonormal basis for ) as
(14) 
The following properties of hold [Cho75, Jam72]: (1) is completely positive if and only if , and (2) is tracepreserving if and only if . In a nutshell, the GutoskiWatrous framework generalizes this definition to interacting strategies [GW07].
Semidefinite programs.
We give a brief overview of semidefinite programs (SDPs) from the perspective of quantum information, as done e.g., in the notes of Watrous [Wat11] or [MVW13]. For further details, a standard text on convex optimization is Boyd and Vandenberghe [BV04].
Given any tuple for operators and , and linear map mapping Hermitian operators to Hermitian operators, one can state a primal and dual semidefinite program:
Primal problem (P) s.t. Dual problem (D) s.t.where denotes the adjoint of , which is the unique map satisfying for all and . Not all SDPs have feasible solutions (i.e. a solution satisfying all constraints); in this case, we label the optimal values as for P and for D, respectively. Note also that the SDP we derive in Equation (21) will for simplicity not be written in precisely the form above, but can without loss of generality be made so.
c.2 The GutoskiWatrous framework for quantum games
We now recall the GutoskiWatrous (GW) framework for quantum games [GW07], which can be used to model quantum interactions between spatially separated parties. The setup most relevant to our protocol here is depicted in Figure C.2.
Here, we imagine one party, , prepares an initial state . Register is then sent to the second party ( is kept as private memory), , who applies some quantum channel . keeps register as private memory, and sends back to , who applies channel , and sends to . The protocol continues for messages back and forth, until the final operation , in which performs a twooutcome measurement (specifically, a POVM , meaning , ) in order to decide whether to reject () or accept (). As done in [GW07], we may assume without loss of generality^{6}^{6}6This is due to the Stinespring dilation theorem. that all channels are given by linear isometries , i.e. . (A linear isometry satisfies . Such maps are roughly generalizations of unitary maps to nonsquare matrices.) Reference [GW07] refers to as a strategy and as a costrategy. In our setting, the former is “nonmeasuring”, meaning it makes no final measurement after is applied, whereas the latter is “measuring”, since we will apply a final measurement on space (not depicted in Figure C.2).
The GW framework then gives the ChoiJamiołkowski (CJ) representation of a strategy and (measuring) costrategy as follows. (Recall the definition of the ChoiJamiołkowski representation for superoperators is given in Section C.1, but the relationship between that definition and the more generalized development below for strategies/costrategies is not a priori obvious.)
CJ representation of (nonmeasuring) strategy.
The CJ representation is given by
(15) 
where is defined as the product of the isometries ,
(16) 
and the mapping is the linear extension of the map defined on all standard basis states .