Quantum One-Time Programs, Revisited

Aparna Gupte Jiahui Liu* Justin Raizes

[email protected] [email protected] [email protected]
Massachusetts Institute of Fujitsu Research of America Carnegie Mellon University
Technology Santa Clara, CA, USA Pittsburgh, PA, USA
Cambridge, MA, USA

Bhaskar Roberts Vinod Vaikuntanathan

[email protected] [email protected]
University of California, Berkeley Massachusetts Institute of
Berkeley, CA, USA Technology
Cambridge, MA, USA

Abstract CCS Concepts

One-time programs (Goldwasser, Kalai and Rothblum, • Theory of computation → Cryptographic protocols; Cryp-
CRYPTO 2008) are programs that can be run on any single in- tographic primitives; Quantum complexity theory.
put of a user’s choice, but not on a second input. Classically,
they are unachievable without trusted hardware, but the de- Keywords
structive nature of quantum measurements seems to provide cryptography, quantum cryptography, unclonable cryptogra-
an alternate path to constructing them. Unfortunately, Broad- phy, one-time program, obfuscation, idealized model
bent, Gutoski and Stebila (CRYPTO 2013) showed that even
with quantum techniques, a strong notion of one-time pro- ACM Reference Format:
Aparna Gupte, Jiahui Liu, Justin Raizes, Bhaskar Roberts, and Vinod
grams, similar to ideal obfuscation, cannot be achieved for
Vaikuntanathan. 2025. Quantum One-Time Programs, Revisited. In
any non-trivial quantum function. On the positive side, Ben- Proceedings of the 57th Annual ACM Symposium on Theory of Computing
David and Sattath (Quantum, 2023) showed how to construct (STOC ’25), June 23–27, 2025, Prague, Czechia. ACM, New York, NY,
a quantum one-time program for a certain (probabilistic) digi- USA, 10 pages. https://doi.org/10.1145/3717823.3718204
tal signature scheme, under a weaker notion of one-time pro-
gram security. There is a vast gap between achievable and 1 Introduction
provably impossible notions of one-time program security,
and it is unclear what functionalities are one-time program- The notion of one-time programs, first proposed by Goldwasser,
mable and which are not, under the achievable notions of se- Kalai and Rothblum [15], allows us to compile a program into
curity. one that can be run on a single input of a user’s choice, but
In this work, we present new, meaningful, yet achievable only one. If realizable, one-time programs would have wide-
definitions of one-time program security for probabilistic clas- ranging applications in software protection, digital rights man-
sical functions. We show how to construct one time programs agement, electronic tokens and electronic cash. Unfortunately,
satisfying these definitions for all functions in the classical or- one-time programs immediately run into a fundamental bar-
acle model and for constrained pseudorandom functions in rier: software can be copied multiple times at will, and there-
the plain model. Finally, we examine the limits of these no- fore, if it can be run on a single input of a user’s choice, it can
tions: we show a class of functions which cannot be one-time also be run on as many inputs as desired.
programmed in the plain model, as well as a class of func- To circumvent this barrier, [15] designed a one-time pro-
tions which appears to be highly random given a single query, gram with the assistance of a specialized stateful hardware
but whose quantum one-time program leaks the entire func- device that they called a one-time memory. A one-time mem-
tion even in the oracle model. ory is a device instantiated with two strings (𝑠 0, 𝑠 1 ); it takes as
input a choice bit 𝑏 ∈ {0, 1}, outputs 𝑠𝑏 and then self-destructs.
Using one-time memory devices, Goldwasser et al. showed
* Work partly done at MIT how to compile any program into a one-time program, as-
suming one-way functions exist. Goyal et al. [18] extended
these results by achieving unconditional security against ma-
Permission to make digital or hard copies of all or part of this work for personal licious parties and using a weaker type of one-time memories
or classroom use is granted without fee provided that copies are not made or that store single bits. Notwithstanding these developments,
distributed for profit or commercial advantage and that copies bear this notice
and the full citation on the first page. Copyrights for third-party components the security of these schemes rests on shaky grounds: security
of this work must be honored. For all other uses, contact the owner/author(s). relies on how much one is willing to trust the impenetrability
STOC ’25, Prague, Czechia of these hardware devices in the hands of a motivated and
© 2025 Copyright held by the owner/author(s).
ACM ISBN 979-8-4007-1510-5/25/06 resourceful adversary who may be willing to mount sophis-
https://doi.org/10.1145/3717823.3718204 ticated side-channel attacks. Which brings up the motivating
STOC ’25, June 23–27, 2025, Prague, Czechia Gupte, Liu, Raizes, Roberts, Vaikuntanathan

question of our paper: is there any other way to construct one- The starting point of this paper is that there is a vast gap be-
time programs? tween these two security notions. Within the gap, one could
One might hope that the quantum no-cloning theorem [27] imagine several meaningful and useful intermediate notions
might give us a solution. The no-cloning theorem states that of quantum one-time programs for classical randomized func-
quantum information cannot be generically copied, so if one tions. For example, strengthening the [8] definition, one could
can encode the given program into an appropriate quantum imagine requiring that the user should not even be able to
state, one might expect to circumvent the barrier. However, verify the correctness of two input-output pairs (and not just
there is a simple impossibility result by Broadbent, Gutoski be unable to produce them). Such a definition is a meaning-
and Stebila [11] that rules out quantum one-time versions of ful strengthening in the context of indistinguishability games
any deterministic program. Indeed, given a candidate quan- (such as in pseudorandom functions) rather than unpredictabil-
tum one-time program state |𝜓 𝑓 ⟩, an adversary can evaluate ity games (such as in digital signatures). One could also imag-
𝑓 many times on different inputs as follows: it first evaluates ine realizing one-time programs for a wider class of functions
the program on some input 𝑥, measures the output register to than the signature tokens of [8].
obtain 𝑓 (𝑥). Since 𝑓 is deterministic, the measurement does In this work, we revisit notions of quantum one-time pro-
not disturb the state of the program at all (if the computation grams and make progress on these questions. We propose a
is perfectly correct). The adversary then uncomputes the first number of security notions of quantum one-time programs
evaluation, restoring the initial program state. She can repeat for randomized functions; give constructions both in the plain
this process on as many inputs as she wishes. model and a classical oracle model; and examine the limits of
While this impossibility result rules out one-time programs these notions by showing negative results. We next describe
for deterministic functionalities, it raises the following natu- our contributions in more detail.
ral question:
1.1 Our Results
Can we obtain one-time programs for randomized functionalities?
Definitions. Our first contribution is definitional. We give
More concretely, can we construct quantum one-time programs correctness and security definitions for one-time programs
for randomized functions 𝑓 : X × R → Y that lets the user of classical randomized circuits, which we call one-time sam-
choose the input 𝑥 ∈ X but not the randomness 𝑟 ∈ R? One pling programs.
might hope that by forcing the evaluation procedure to utilize For correctness of a one-time sampling program for a clas-
the inherent randomness of quantum information in sampling sical 𝑓 , any honest user can choose its own input 𝑥 and the
𝑟 ← R, measuring the output would collapse the program evaluation gives 𝑓 (𝑥; 𝑟 ) for some random 𝑟 . For security, we
state in a way that does not allow further evaluations. How- lay out a list of different notions of security that we might
ever, once again, [11] showed that it is impossible to compile desire from the one-time sampling program.
any quantum channel into a one-time program, unless it is (es- We make a few attempts on a simulation-based definition:
sentially) learnable with just one query. This is a much more the desired one-time sampling program functionality should
general impossibility; in fact, it rules out non-trivial one-time be indistinguishable from an idealized functionality, where
programs for classical randomized functions. (We refer the we are allowed to make a single quantum query to a ”ran-
reader to Section 2 for a description of this impossibility re- domized oracle” for the target functionality 𝑓 . However, these
sult.) definitions run into several strong impossibility results, un-
On the other hand, more recently, Ben-David and Sattath [8] less assuming hardware assumptions. (See our technical man-
demonstrated the first instance of a one-time program for uscript Figure 1 and discussions in technical overview Sec-
a certain randomized function. In particular, they construct tion 2.1).
a digital signature scheme where the (randomized) signing We therefore explore a possible weakening on the single
procedure can be compiled into a one-time program that the quantum query access we allow in the ideal world. Inspired
user can use to generate a single signature for a message of by the compressed oracle technique in [28] used to record
her choice. queries for quantum random oracles, we re-define the single-
At a first glance, this positive result might seem like a con- query access oracle in the ideal world. Very informally, the
tradiction to the [11] impossibility; however, that is not so, randomized oracle would record queries so that it allows only
and the difference lies in which definition of one-time pro- one "informative" query to be made, but potentially many
grams one achieves. Ben-David and Sattath [8] achieve a much more dummy queries. We then give a new simulation-based
weaker notion of one-time security than what was proven to definition based on this oracle we call single-effective-query
be impossible by [11]. On the one hand, [11] demanded that oracle1 , which allows us to bypass the above impossibility
an adversarial user should not be able to do anything other results.
than evaluate the one-time program on a single input, an
ideal obfuscation-like guarantee [6, 20]. On the other hand,
the positive result of [8] only claimed security in the sense
that an adversarial user cannot output two different valid sig- 1We refer to the traditional single query oracle which allows literally one query

natures. as single-physical-query oracle.

Quantum One-Time Programs, Revisited STOC ’25, June 23–27, 2025, Prague, Czechia

We additionally introduce a weaker but highly useful secu- Our second impossibility result shows that there exists a fam-
rity definition called operational definition, in which the ad- ily of randomized functions with high min-entropy and is un-
versary cannot "evaluate" twice given a one-time program2 . learnable under a single physical query. But it cannot be one-
time programmed even in the classical oracle model, even
Constructions. We give a very generic construction for one- under the weakest possible operational security definitions4 .
time sampling programs in the classical oracle model3 , in- We demonstrate the definitions presented in this work and
spired by the one-time signature scheme in [8]. We allow an their corresponding impossibilities and/or constructions in
honest user to choose its own input and then generate a ran- Figure 1. We recommend the readers to come back to this fig-
dom string by measuring a “signature token” state. The eval- ure after going through the technical overview.
uation is on the user’s input together with this freshly gener-
ated randomness. Applications. Using the techniques we developed for one-
In particular, an honest evaluator does not need to run time programs, we construct the following one-time crypto-
a classical circuit coherently on a quantum input, but only graphic primitives:
needs quantum memory and one measurement to evaluate • One-Time Signatures. We compile a wide class of exist-
the program in our construction. However, our construction ing signature schemes to add signature tokens, which
has security even against adversaries who can evaluate large- allow a delegated party to sign exactly one message
depth quantum circuits coherently on quantum states. In other of their choice. Notably, our construction only changes
words, our construction can be honestly evaluated using a rel- the signing process while leaving the verification al-
atively weak quantum computer, but still has security against most unmodified, unlike [8]’s construction. Thus, it en-
adversaries using a full quantum computer. ables signature tokens for existing schemes with keys
We prove its security under the single-effective-query which are already distributed.
simulation-based definition. • One-Time NIZK Proofs. We show how a proving au-
thority can delegate to a subsidiary the ability to non-
T HEOREM 1.1. (Informal) There exists a secure one-time sam- interactively prove a single (true) statement in
pling program for all functions (with sufficiently long randomness) zero-knowledge.
in the classical oracle model, with respect to our simulation-based, • Public-Key Quantum Money. We show that one-time
single-effective-query model one-time sampling security. programs satisfying a mild notion of security imply public-
key quantum money.
We also instantiate the classical oracle using indistinguisha-
bility obfuscation, to get a compiler in the plain model, and Future Work. For future work, some possible directions and
prove its security for the class of pseudorandom functions un- applications may be one-time MPC, one-time encryptions with
der an operational security definition for cryptographic func- advanced security. As discussed in a concurrent work [19],
tionalities. another interesting application is one-time tokens for large
language models.
T HEOREM 1.2 (I NFORMAL ). Assuming post-quantum iO and
LWE (or alternatively subexponentially secure iO and OWFs), there 2 Technical Overview
exists one-time sampling programs for constrained PRFs.
2.1 Definitional Work
Impossibilities. To complement our constructions in the clas- First Attempt at Defining One-Time Sampling Programs. As
sical oracle model and the plain model, we also give two new we discussed in the introduction, we cannot achieve one-time
negative results. The first negative result shows we cannot security for deterministic classical functions without hardware
hope to one-time program all randomized functionalities in the assumptions, even after encoding them into quantum states:
plain model, even under the weakest possible operational se- by applying the gentle measurement lemma [1, 26], any ad-
curity definitions. This impossibility is inspired by the work versary can repair the program state after a measurement on
of [3, 5]. We tweak the idea to work with randomized circuits the program’s output that gives a deterministic outcome.
that can only be evaluated once. We therefore resort to considering classical randomized com-
T HEOREM 1.3 (I NFORMAL ). Assuming LWE and quantum putation, which we model as the following procedure: the
FHE, there exists a family of circuits with high min-entropy out- user (adversary) can pick its own input 𝑥; the program sam-
puts but no secure one-time sampling programs exist for them. ples a random string 𝑟 for the user and outputs the evalu-
ation 𝑓 (𝑥, 𝑟 ) for the user, for some deterministic function 𝑓 .
We also show that having high min-entropy outputs is not Note that it’s essential that the user does not get to pick their
a sufficient condition to have a secure one-time programs. own randomness 𝑟 – otherwise the evaluation is determinis-
tic again and is subject to the above attack.
2 Throughout the work, we may use the terms "one-time programs" and "one- 4 This function is securely one-time programmable under the single-effective-
time sampling programs" interchangeably. But they both refer to one-time sam- query simulation-based definition, but in a "meaningless" sense since both
pling programs unless otherwise specified. the simulator and the real-world adversary can fully learn the functionality.
3 A classical oracle is a classical circuit that can be accessed coherently by quan- This demonstrates the separations and relationships between several of our
tum users in a black-box manner. definitions.
STOC ’25, June 23–27, 2025, Prague, Czechia Gupte, Liu, Raizes, Roberts, Vaikuntanathan

Definition Impossibilities Construction

Single physical query, Strong impossibility For single physical
quantum-output, simulation-based in oracle model query learnable
(Section 2.1) (trivial) functions only
[11]
Single physical query, Impossibility for generic N/A
classical-output, simulation-based construction in oracle model
(Section 2.3)
Single effective query Impossibility for generic For all functions
quantum-output, constructions in plain (with proper randomness
simulation-based model (Section 2.3) length) in classical oracle model
Operational definitions Impossibility for generic For random functions
constructions in plain in classical oracle model;
model (Section 2.3) For constrained PRF, NIZK, signatures
in plain model

Figure 1: Definitions with Impossibilities and Constructions. The exact impossibility results and positive results for operational definitions
depend on which definition of single-query model we work with. See the full version for details

For correctness, we need to guarantee that after an hon- A may be able to perform various attacks that the simula-
est evaluation, the user gets the outcome 𝑓 (𝑥, 𝑟 ) for its own tor cannot do: for instance, homomorphic evaluation on the
choice of 𝑥 and a uniformly random 𝑟 . For security, the hope one-time program. Then one can show that there exists a fam-
is that when the output of 𝑓 looks "random enough" (e.g. 𝑓 is ily of circuits, even though "unlearnable" when only given
a hash function or a pseudorandom function), the adversary query access, can always be fully learned (i.e. the adversary
should not be able to do more than evaluating the program can fully recover the functionality) once given non-black-box
honestly once. We discuss several candidate definitions, the access. As demonstrated in [3, 5], this type of non-black-box
corresponding impossibility results as well as our solutions attacks are applicable even if the obfuscation program is a
that circumvent the impossibilities. quantum state.
Ideally, we would establish a simulation-based security def- One may wonder if we can simply use the above impos-
inition. This might require the existence of a QPT algorithm sibility result above for quantum VBB directly as an impos-
Sim which can produce the adversary’s real-world view given sibility result for the one-time program in the plain model.
a single query to 𝑓 : However, there are subtleties we need to deal with: the cir-
cuit in the quantum obfuscated program in the above results
OTP(𝑓 ) ≈ Sim 𝑓1 ([3, 5]) is deterministic, which will give a trivial impossibil-
where 𝑓1 denotes that Sim may query 𝑓 a single time. Indeed, ity result in the one-time program setting, irrelevant to non-
such a definition is formalized, and subsequently ruled out, black-box access. Moreover, the adversary receiving the one-
by Broadbent, Gutoski, and Stebila [11]. time program is only able to evaluate once and the program
This definition can be adapted to sampling programs by may get destroyed. In our case, we need a sampling program
considering sampling 𝑓 from a function family F at the start with high min-entropy outputs where one can still apply a
of the experiment. Additionally, to prevent a trivial definition non-black-box attack with one single evaluation. We design
which can be satisfied by Sim choosing its own 𝑓 , the distin- a slightly contrived secret-key encryption circuit that leads
guisher gets access to the sampled 𝑓 : to the impossibility result in the plain model – we will elab-
orate its details in a later paragraph 2.3 and formally in the
{𝑓 , OTP(𝑓 )} 𝑓 ←F ≈ {𝑓 , Sim 𝑓1 } 𝑓 ←F full version.. For now, let us proceed with the discussion on
Unfortunately, this candidate definition suffers from impossi- the definitions.
bility results of its own.
Barriers for Stateless One-Time Programs. Even more prob-
Impossibility Results for the "Traditional" Simulation-Based Def- lematic, the above definition encounters impossibilities even
initions. As often applicable to simulation-based definitions, in the oracle model, where we ensure that the program re-
the first impossibility results from the separation between the ceived by A consists of oracle-aided circuits, preventing the
simulated oracle world and a plain model where the one-time non-black-box attack described earlier from applying.
program can be accessed in a possibly non-black-box way. This limitation primarily arises from the fact that Sim is
Our one-time program we give to A consists of plain-model given a stateful oracle, while A is provided with a stateless
circuits (actual code) and quantum states, instead of oracle one-time program (which includes a stateless oracle). To il-
circuits. Our simulator is given only oracle access to 𝑓 . Once lustrate, consider the following A and distinguisher D: A
A has non-black-box access to the given one-time program, receives a possibly oracle-aided program and simply passes
Quantum One-Time Programs, Revisited STOC ’25, June 23–27, 2025, Prague, Czechia

the program itself to D. Let O 𝑓 be a stateless oracle for 𝑓 that an oracle single physical query oracle). Therefore, Sim is more
outputs 𝑦 = 𝑓 (𝑥, 𝑟 ) on any input (𝑥, 𝑟 ) and not restricted in the restricted than the A in real world.
number of queries that it can answer. D is given arbitrary or-
The Single-Effective-Query Model. To avoid the above issue,
acle access to O 𝑓 so D can perform the following attack using
we consider a weakening on the restriction of the "single query"
gentle measurement and un-computation:
which Sim can make. In the traditional one-time security, Sim
(1) Evaluate the program given by A on a |𝑥 1 ⟩ inp |0⟩ out |0⟩ check can merely make one physical query, but A and D can ac-
where the input register inp contains 𝑥 1, 𝑟 1 , some arbi- tually make many queries, as long as the measurements on
trary 𝑥 1 of D’s choice and some randomness 𝑟 1 sam- those queries they make are "gentle" (for example, a query
pled by the program. out is an output register and check where the outcome 𝑓 (𝑥, 𝑟 ) is unmeasured and later uncom-
is an additional register in D’s memory. puted) or repeated (for example, two classical queries on the
(2) Get outcome |𝑥 1 ⟩ inp |𝑟 1, 𝑦1 = 𝑓 (𝑥 1, 𝑟 1 )⟩ out |0⟩ check . same (𝑥, 𝑟 )).
(3) But D does not proceed to measure the register out. In- In the single-effective-query model, we relax Sim’s single-
stead it performs a gentle measurement by checking if physical-query restriction to also allow multiple queries, as
the 𝑦1 value in out is equal to the correct 𝑦1 = 𝑓 (𝑥 1, 𝑟 1 ), long as they are "gentle" or repeated. We will define a state-
writing the outcome in register check. It can do so be- ful oracle 𝑓SEQ which tracks at all times which evaluations
cause it has access to O 𝑓 . Then it measures the bit in 𝑓 (𝑥; 𝑟 ) the adversary has knowledge about. If 𝑓SEQ receives
register check. a query to some 𝑥 ′ while it knows the adversary has knowl-
(4) Since the above measurement gives outcome 1 with edge about an evaluation on 𝑥 ≠ 𝑥 ′ , it will refuse to answer.
probability 1, D can uncompute the above results and Using this oracle, we may define single-effective query
make sure that the program state is undisturbed. Then, simulation-security in the same manner as our previous at-
it can evaluate the program again on some different 𝑥 2 tempt by giving the simulator access to the single-effective-
of its choice. query oracle 𝑓SEQ instead of the single-physical-query oracle
(5) But when given a simulator’s output, Sim cannot pro- 𝑓1 :
duce a program that contains more information than OTP(𝑓 ) ≈ Sim 𝑓SEQ
what’s given in a single quantum oracle access to 𝑓 .
Therefore, unless Sim can "learn" 𝑓 in a single quan- The reader may be concerned that since 𝑓 is not sampled
tum query and produce a program that performs very from any distribution here, this definition is subject to the pre-
closely to a real program on most inputs, D may easily viously discussed impossibility for deterministic functions.
detect the difference between two worlds. As we will see shortly, the randomization of 𝑓 is directly baked
in to the definition of 𝑓SEQ .
The above argument is formalized in [11], which rules out
stateless one-time programs for quantum channels even in Defining the Single-Effective-Query Oracle. To define the single-
the oracle model unless the function can be learned in a single effective query oracle 𝑓SEQ , we use techniques from compressed
query (for example, a constant function). The above simulation- random oracles, which were introduced by Zhandry to ana-
based definition discussed can be viewed as a subcase of [11]’s lyze analyze security in the quantum-accessible random ora-
definition. Only in this trivial case, Sim can fully recover the cle model (QROM) [28]. Very roughly speaking, a compressed
functionality of 𝑓 and make up a program that looks like a oracle gives an efficient method of simulating quantum query
real world program, since both Sim and A can learn every- access to a random oracle on the fly by lazily sampling re-
thing about 𝑓 . sponses in superposition which can be "forgotten" as neces-
To get around the above oracle-model attack, we first con- sary.
sider the following weakening: what if we limit both the ad- The first main idea in [28] compressed oracle technique is
versary and simulator to output only classical information? In- to take a purified view on the joint view of the adversary’s
tuitively, this requires both A and Sim to dequantize and "com- query register and the oracle: evaluating a random function
press" what they can learn from the program/oracle into a in the adversary’s view is equivalent to evaluating on some
piece of classical information, so that A cannot output the function 𝐻 from a uniform superposition over all functions
Í
entire functionality unless it has "learned" the classical de- (of corresponding input and output length) 𝐻 |𝐻 ⟩ H . When
Í
scription of the functionality. However, we will show in 2.3 adversary makes a query of the form 𝑥,𝑢 𝛼𝑥,𝑢 |𝑥, 𝑢⟩, the ora-
that there even exists a function with high min-entropy out- cle applies the operation
put such that its classical description can be "learned" given ∑︁ ∑︁ ∑︁
any stateless, oracle-based one-time sampling program, but 𝛼𝑥,𝑢 |𝑥, 𝑢⟩ ⊗ |𝐻 ⟩ ⇒ 𝛼𝑥,𝑢 |𝑥, 𝑢 + 𝐻 (𝑥)⟩ ⊗ |𝐻 ⟩
𝑥,𝑢 𝐻 𝑥,𝑢,𝐻
is unlearnable given only a single query. Thus we will need
to explore other avenues Zhandry’s second contribution is a method to "compress" the
These impossibility results appear to stem more from a exponentially large superposition into a small database. It
definitional limitation than a fundamental obstacle. The ad- will be instructive to first consider the uncompressed version,
versary is always given a stateless program, but the oracle so we defer details about the compressed version to later.
given to the simulator is by definition strongly stateful: it To define 𝑓SEQ , we allow it to maintain a purified version
shuts down after answering any single query (we call such of 𝐻 , which it represents as a truth table. In other words, it
STOC ’25, June 23–27, 2025, Prague, Czechia Gupte, Liu, Raizes, Roberts, Vaikuntanathan

maintains a register H = (H𝑥 )𝑥 ∈ X which is initialized to • Unforgeability. To have any hope that 𝑓 has properties
∑︁ Ì Ì ∑︁ that cannot be learned with SEQ access, 𝑓 cannot be
|𝐻 ∅ ⟩ H B |𝐻 (𝑥)⟩ H𝑥 = |𝑟 ⟩ H𝑥 learnable given, say, a single evaluation 𝑓 (𝑥; 𝑟 ).
𝐻 :X→R 𝑥 ∈𝑋 𝑥 ∈𝑋 𝑟 ∈ R
As an example, truly random functions exemplify both of
When 𝑓SEQ decides to answer a query |𝑥, 𝑢⟩, it computes |𝑥, 𝑢 ⊕ 𝑓 (𝑥; 𝐻these
(𝑥))⟩ properties. A truly random function has maximal ran-
by reading register H𝑥 in the computational basis. The first domness on every input and 𝑓 (𝑥; 𝑟 ) is independent of 𝑓 (𝑥 ′ ; 𝑟 ′ ).
query made results in the joint state We formally explore SEQ access to truly random functions
𝑈 𝑓$ ∑︁
and a few other function families in the full version.
|𝑥 ∗, 𝑢⟩ Q ⊗ |𝐻 ∅ ⟩ −→ |𝑥 ∗, 𝑢 ⊕ 𝑓 (𝑥 ∗, 𝑟 )⟩ Q ⊗ |𝑟 ⟩ H𝑥 ∗
𝑟 2.2 Positive Results
∑︁ Ì
⊗ |𝐻 (𝑥)⟩ H𝑥 Construction with Classical Oracles. We now give an overview
𝐻 :𝐻 (𝑥 ∗ )=𝑟 𝑥 ∈ X,𝑥≠𝑥 ∗ on our construction using classical oracles . We show security
with respect to the simulation-based definition where the sim-
If 𝑓 (𝑥; 𝑟 ) were to uniquely determine 𝑟 , then measuring ulator queries a single-effective-query oracle.
𝑓 (𝑥 ∗, 𝐻 (𝑥 ∗ )) would fully collapse register H𝑥 ∗ while leaving Our construction in the oracle model is inspired by the use
the others untouched. Afterwards, the single-effective-query of the "hidden subspace states" in the literatures of quantum
oracle 𝑓SEQ could detect which input was evaluated and mea- money [2], signature tokens and quantum copy protection [8,
sured by comparing each register H𝑥 to the uniform super- 13]. A subspace state |𝐴⟩ is a uniform superposition over all
Í
position 𝑟 ∈ R |𝑟 ⟩. It could then use this information to de-
vectors in some randomly chosen, secret subspace 𝐴 ⊂ F𝜆2 .
cide whether to answer further queries. On the other hand, Í
Specifically, |𝐴⟩ ∝ 𝑣 ∈𝐴 |𝑣⟩, where dimension of 𝐴 is 𝜆/2 and 𝜆
if there were many collisions 𝑓 (𝑥 ∗ ; 𝑟 ∗ ) = 𝑓 (𝑥 ∗ ; 𝑟 2∗ ) or the ad-
is the security parameter. These parameters ensure that 𝐴 has
versary erased its knowledge of 𝑓 (𝑥 ∗ ; 𝑟 ∗ ) by querying on the
exponentially many elements but is still exponentially small
same register again, then H𝑥 ∗ might not be fully collapsed. In
compared to the entire space.
this case, it is actually beneficial that 𝑓SEQ does not completely
At a high-level, our one-time scheme requires an autho-
consider 𝑥 ∗ to have been queried, since this represents a "gen-
rized user to query an oracle on subspace vectors of 𝐴 or its
tle" query which would allow the adversary to continue eval-
dual subspace 𝐴⊥ . Let 𝑓 be the function we want to one-time
uating a real one-time program.
program. Consider the simple case where 𝑥 is a single bit in
When we switch to the compressed version of 𝐻 , collaps-
{0, 1}. Let 𝐺 be a PRG or extractor (which can be modeled as
ing H𝑥 ∗ to |𝑟 ∗ ⟩ corresponds to recording (𝑥 ∗, 𝑟 ∗ ) in a data-
a random oracle since we already work in oracle model). The
base 𝐷. Since the adversary’s queries may be in superposi-
one-time program consists of a copy of the subspace state |𝐴⟩
tion, the database register H may become entangled with
along with access to the following classical oracle:
the adversary. In other words, the general state of the sys-
Í
tem is 𝑎,𝐷 𝛼𝑎,𝐷 |𝑎⟩ A ⊗ |𝐷⟩ H where A belongs to the adver- 

 𝑓 (𝑥, 𝐺 (𝑣)) if 𝑥 = 0, 𝑣 ∈ 𝐴
sary and H belongs to 𝑓SEQ . Using this view, 𝑓SEQ may di-


O (𝑥, 𝑣) = 𝑓 (𝑥, 𝐺 (𝑣)) if 𝑥 = 1, 𝑣 ∈ 𝐴⊥ .
rectly read the currently recorded query off of its database 
⊥ otherwise

register to decide whether to answer a new query. The entan- 
glement between the adversary’s register and the database To evaluate on input 𝑥, an honest user will measure the
register enables 𝑓SEQ to answer or reject new queries 𝑥 pre- state |𝐴⟩ to obtain a uniform random vector in subspace 𝐴, if
cisely when the adversary does not have another outstand- 𝑥 = 0; or apply a binary QFT to |𝐴⟩ and measure to obtain a
ing query 𝑥 ′ . As a result, the database register will always uniform random vector in the dual subspace 𝐴⊥ , if 𝑥 = 1. It
contain databases with at most one entry. then inputs (𝑥, 𝑣) into the oracle O and will obtain the eval-
uation O (𝑥, 𝐺 (𝑣)) where the randomness 𝐺 (𝑣) is uniformly
Functions for which SEQ Access is Meaningful. The single- random after putting the subspace vector into the random
effective-query simulation definition captures all functions, oracle.
including those that are trivially one-time programmable. Sim- For security, we leverage an "unclonability" property of the
ilarly to the notion of ideal or virtual black-box obfuscation, state |𝐴⟩ ([7, 8]) called "direct-product hardness": an adver-
any "unlearnability" properties depend on the interaction of sary, given one copy of |𝐴⟩, polynomially bounded in query
the function with the obfuscation definition. For example, de- to the above oracle should not be able to produce two vectors
terministic functions can be fully learned given access to an 𝑣, 𝑣 ′ which satisfy either of the following: (1) 𝑣 ∈ 𝐴, 𝑣 ′ ∈ 𝐴⊥ ;
SEQ oracle, since measuring evaluations will never restrict (2) 𝑣, 𝑣 ′ ∈ 𝐴 or 𝑣, 𝑣 ′ ∈ 𝐴⊥ but 𝑣 ≠ 𝑣 ′ .
further queries. First, we consider a simpler scenario: this evaluation is de-
Intuitively, a function must satisfy two loose properties in structive to the subspace state if the user has obtained the out-
order to have any notion of unlearnability with SEQ access: come 𝑓 (𝑥, 𝐺 (𝑣)) and the function 𝑓 behaves random enough
• High Randomness. To restrict further queries, learning so that measuring the output 𝑓 (𝑥, 𝐺 (𝑣)) is (computationally)
(via measuring) 𝑓 (𝑥; 𝑟 ) must collapse the SEQ oracle’s equivalent to having measured the subspace state 𝑣. Now, it
internal state, causing (𝑥, 𝑟 ) to be recorded in the puri- will be hard for the user to make a second query into the or-
fied oracle 𝐻 . acle O on a different input (𝑥 ′, 𝑣 ′ ) so that either 𝑥 ≠ 𝑥 ′ or
Quantum One-Time Programs, Revisited STOC ’25, June 23–27, 2025, Prague, Czechia

𝑣 ≠ 𝑣 ′ because it would lead to breaking the direct-product needs to answer some challenges from the challenger with re-
hardness property mentioned above. spect to the cryptographic functionality 𝑓 . The security guar-
More generally, however, 𝑓 may be only somewhat ran- antees that A’s probability of winning both challenges for
dom, or the adversary may perform superposition queries. 𝑖 ∈ {1, 2} is upper bounded by its advantage in a crypto-
In these cases, |𝐴⟩ will be only partially collapsed in the real graphic security game of winning a single such challenge, but
program, potentially allowing further queries. This partial without having acess to the one-time program.
collapse also corresponds to a partial collapse of the single- For some cryptographic functionalities, this cryptographic
effective-query oracle’s database register, similarly restricting challenge is simply to compute 𝑦𝑖 = 𝑓 (𝑥𝑖 , 𝑟𝑖 ). A good example
further queries. is a one-time signature scheme: A produces two messages
To establish security, the main gap that the simulator needs of its own choice, but it should not be able to produce valid
to bridge is the usage of a subspace state |𝐴⟩ versus a purified signatures for both of them with non-negligible probability.
random oracle to control query access. Additionally, the real More generically, A produces two message-randomness
world evaluates 𝑓 (𝑥, 𝐺 (𝑣)), where 𝑣 is a subspace vector cor- pairs and gives them to the challenger. Then the challenger
responding to 𝑥, while the ideal world evaluates 𝑓 (𝑥, 𝐻 (𝑥)) prepares some challenges independently for 𝑖 ∈ {1, 2} and
directly.5 If we were to purify 𝐺 as a compressed oracle, then A has to provide answers so that A’s inputs, the challenges
|𝐴⟩ collapsing corresponds to 𝐺 recording some subspace vec- and final answer need to satisfy a predicate. In the above
tor 𝑣 in its database. At a high level, this allows the simulator signature example, the predicate is simply verifying if the
to bridge the aforementioned gap by using a careful caching signature is a valid one for the message. Another slightly
routine to ensure that |𝐴⟩ collapses/𝑣 is recorded in the cache more contrived predicate is answering challenges for a pseu-
if and only if 𝑥 is recorded in 𝐻 . Using the direct product dorandomness game of a PRF: receiving an OTP for a PRF,
hardness property, we can be confident that at most one 𝑣 and no QPT adversary can produce two input-randomness pairs
corresponding 𝑥 are recorded in the simulator. Thus, to show (𝑥 1, 𝑟 1 ), (𝑥 2, 𝑟 2 ) of its own choice such that it can win the pseu-
that the simulator is indistinguishable from the real one-time dorandomness game with respect to both of these inputs. That
program, we can simply swap the role of 𝑥 and 𝑣 in the oracle, is, the challenger will flip two independent uniform bits for
changing between 𝐺 and 𝐻 . We provide more details in the each 𝑖 ∈ {1, 2} to decide whether let 𝑦𝑖 = PRF(𝑥𝑖 , 𝑟𝑖 ) or let
full version. 𝑦𝑖 be real random. The security says that A’s overall advan-
tage should not be noticeably larger than 1/2; A can always
Operational Security for Cryptographic Functionalities. While evaluate once and get to answer one of the challenges with
the classical oracle construction is clean, implementing the or- probability 1, but for the other challenge it can only make a
acle itself with concrete code will bump into the plain model random guess.
versus black-box obfuscation barrier again. We cannot hope
to make one-time sampling programs for all functions (not
even for all high min-entropy output functions) in the plain One-Time Program for PRFs in the Plain Model. However, one
model, due to the counter-example we provide in the first cannot hope to achieve a one-time program construction that
paragraph of 2.3 we will soon come to. Moreover, the simu- is secure for all functions in the plain model, even if we con-
lation definition we achieve above captures functions all the sider the most restrict ourselves to the weakest operational
way from those that can be meaningfully one-time programmed, definition and high min-entropy output functions. As afore-
like a random function, to those "meaningless" one-time pro- mentioned, we give the counter-example of such a circuit (as-
grams of for example a constant function, which can be learned suming some mild computational assumptions) in the next
in a single query. paragraph 2.3.
One may wonder, what are some meaningful functional- We therefore turn to considering constructions for specific
ities we can implement a one-time program with and what functionalities in the plain model and a give a secure con-
are some possible security notions we can realize for them in struction for a family of PRFs, with respect to the aforentioned
the plain model? security guarantee: no QPT adversary can produce two input-
We consider a series of relaxed security notions we call "op- randomness pairs (𝑥 1, 𝑟 1 ), (𝑥 2, 𝑟 2 ) of its own choice such that
erational one-time security definition", which can be implied it can win the pseudorandomness game with respect to both
by the simulation-based definition. The intuition of these se- of these inputs.
curity definitions is to characterize "no QPT adversary can To replace the oracle in the above construction, we use iO
evaluate the program twice". (which stands for indistinguishability obfuscation, [6]) which
Consider a cryptographic functionality 𝑓 , we define the se- guarantees that the obfuscations of two functionally-equivalent
curity game as follows: the QPT adversary A receives a one- circuits should be indistinguishable.
time program for 𝑓 and will output its own choice of two The construction in the plain model bears similarities to
input-randomness pairs (𝑥 1, 𝑟 1 ), (𝑥 2, 𝑟 2 ). For each (𝑥𝑖 , 𝑟𝑖 ), A the one in the oracle model. Let PRF𝑘 (·) be the PRF as our ma-
jor functionality. In our actual construction, we use another
PRF 𝐺 on the subspace vector 𝑣 to extract randomness, but
5 Although 𝐻 and 𝐺 are both random oracles, we differentiate them to empha- we omit it here for clarity of presentation. We give out a sub-
size that they act on different domains. space state |𝐴⟩ and an iO of a program.
STOC ’25, June 23–27, 2025, Prague, Czechia Gupte, Liu, Raizes, Roberts, Vaikuntanathan

The following program is a simplification of the actual pro- used to show an impossibility result in the plain model, in-
gram we put into iO: spired by the approach in [3, 5]. This impossibility holds even
for the weakest definition we consider: A is not able to produce


 PRF𝑘 (𝑥, 𝑣) if 𝑥 = 0, 𝑣 ∈ 𝐴 two input-output pairs after getting one copy of the OTP.


PRF𝑘,𝐴 (𝑥, 𝑣) = PRF𝑘 (𝑥, 𝑣) if 𝑥 = 1, 𝑣 ∈ 𝐴⊥ . We have provided a table in Figure 1 in Section 1.1 that
demonstrates the several security definitions we discuss in

⊥ otherwise

this work, their corresponding impossibility results and pos-

To show security, we utilize a constrained PRF ([10]): a con- itive results. Please refer to the table so that the relationships
strained PRF key 𝑘𝐶 constrained to a circuit 𝐶 will allow us to between the several definitions proposed in this work are
evaluate on inputs 𝑥 that satisfy 𝐶 (𝑥) = 1 and output ⊥ on the clearer.
inputs that don’t satisfy. The constrained pseudorandomness We design an encryption circuit 𝐶 with a random "hidden
security guarantees that the adversary should not be able dis- point" such that when having non-black-box access to the
tinguish between (𝑥, PRF𝑘 (𝑥)) and (𝑥, 𝑦 ← random), where A circuit, one can "extract" this hidden point using a quantum
can choose 𝑥 such that 𝐶 (𝑥) = 0 and 𝑘 is the un-constrained fully homomorphic encryption on the one-time program. How-
key. ever, when having only oracle access, one cannot find this
In our proof, we can use hybrid arguments to show that we hidden point within any polynomial queries.
can use the adversary to violate the constrained pseudoran- Let SKE be a secret key encryption scheme. Let 𝑎, 𝑏 be two
domness security. Let us denote 𝐴0 = 𝐴, 𝐴1 = 𝐴⊥ . First we in- randomly chosen values in {0, 1}𝑛 .
voke the security of iO: we change the above program to one
Input: (𝑥 ∈ {0, 1}𝑛 , 𝑟 ∈ {0, 1}ℓ )
using a constrained key 𝑘𝐶 to evaluate PRF, where 𝐶 (𝑥, 𝑣) = 1
Hardcoded: (𝑎, 𝑏, Enc.sk)
if and only if 𝑣 ∈ 𝐴𝑥 . The circuit has the equivalent function-
if 𝑥 = 𝑎: output SKE.Enc(Enc.sk, 𝑏; 𝑟 )
ality as the original one. Next, we invoke a computational
else: output SKE.Enc(Enc.sk, 𝑥; 𝑟 ).
version of subspace state direct-product hardness property:
we change the one-time security game to rejecting all adver- The above circuit also comes with some classical auxiliary
sary’s chosen inputs (𝑥 1, 𝑣 1 ), (𝑥 2, 𝑣 2 ) such that both 𝑣 1 ∈ 𝐴𝑥 1 information, given directly to A in the real world (and Sim
and 𝑣 2 ∈ 𝐴𝑥 2 hold. Such a rejection only happens with negli- in the simulated world, apart from giving oracle access). Let
gible probability due to the direct-product hardness property. QHE be a quantum fully homomorphic encryption with se-
Finally, the adversary must be able to produce some (𝑥, 𝑣) mantic security. We also need a compute-and-compare obfus-
where 𝐶 (𝑥, 𝑣) = 0 and distinguish PRF𝑘 (𝑥, 𝑣) from a random cation program (which can be built from LWE). A compute-
value. We therefore use it to break the constrained pseudoran- and-compare obfuscation program is obfuscation of a circuit
domness security. CC[𝑓 , 𝑚, 𝑦] that does the following: on input 𝑥, checks if 𝑓 (𝑥) =
𝑦; if so, output secret message 𝑚, else output ⊥. The obfusca-
More Applications and Implications: Generic Signature Tokens, tion security guarantees that when 𝑦 has a high entropy in the
NIZK, Quantum Money. We show a way to lift signature schemes view of the adversary, the program is indistinguishable from
that satisfy a property called blind unforgeability to possess a dummy program always outputing ⊥ (a distributional gen-
one-time security. Unlike the [8] signature token scheme where eralization of a point function obfuscation).
the verification key has to be updated once we delegate a one- In the auxiliary information, we give out ct𝑎 = QHE.Enc(𝑎)
time signing token to some delegatee, our signature token and the encryption key, evaluation key QHE.pk for the QFHE
scheme can use an existing public verification procedure. scheme. We also give the compute-and-compare obfuscation
Apart from the above one-time PRF in the plain model, we for the following program:
also instantiate one-time NIZK from iO and LWE in the plain
(
model, using a similar construction as in the one-time PRF (SKE.sk, QHE.sk) if 𝑓 (𝑥) = 𝑏
and the NIZK from iO in [25]. The proof requires more careful CC[𝑓 , (SKE.sk, QHE.sk), 𝑏] =
⊥ otherwise
handling because the NIZK proof also has publicly-verifiable
property. where 𝑓 (𝑥) = SKE.Dec(SKE.sk, QHE.Dec(QHE.sk, 𝑥)). Any ad-
Finally, we show that one-time program for publicly verifi- versary with non-black-box access to the program can homo-
able programs (e.g. signature, NIZK) implies public-key quan- morphically encrypt the program and then evaluate to get
tum money. Despite the destructible nature of the one-time a QFHE encryption of a ciphertext SKE.Enc(𝑏) (doubly en-
program, we can design a public verification procedure that crypted by SKE and then QHE ). This ciphertext, once put into
gently tests a program’s capability of computing a function the above CC obfuscation program, will give out all the se-
and use a one-time program token state as the banknote. crets we need to recover the functionality of the circuit 𝐶.
However, when only given oracle access, we can invoke
2.3 Impossibility Results the obfuscation security of the compute-and-compare program
Impossibility Result in the Plain Model. In this paragraph, we and the semantic security of QFHE, finally removing the in-
come back to the discussions about impossibility results in formation of 𝑏 completely from the oracle, rendering the func-
the paragraph "Barriers for stateless one-time programs"(2.1). tionality as a regular SKE encryption sheme (which behaves
We describe the high level idea on constructing the program like a random oracle in the classical oracle model). The actual
Quantum One-Time Programs, Revisited STOC ’25, June 23–27, 2025, Prague, Czechia

proof is more intricate, involving a combination of hybrid ar- 2.4 Concurrent Work and Related Works
guments, quantum query lower bounds and induction, since Concurrent Work. A concurrent and independent work [19]
the secret information on 𝑎, 𝑏 is scattered around in the auxil- presents a construction of quantum one-time programs for
iary input. We direct readers to the full version for details. randomized classical functions. While our main constructions
are very similar, there are some differences between our works
Impossibility Result in the Oracle Model. In this section, we which we outline next. (1) We undertake a more comprehen-
show a circuit family with high-entropy output which can- sive study of security definitions for quantum one-time pro-
not be one-time programmed in the oracle model, with re- grams and come up with both simulation definitions in the
spect to the classical-output simulator definition discussed in oracle model as well as operational definitions in the oracle
Section 2.1. It can be one-time programmed with respect to and plain model. [19] focuses on the oracle model. (2) We
our single-effective-query simulator definition, but only in a show simulation-based security for our construction in the
"meaningless" sense, since both the simulator and the real- oracle model, which is stronger than the security definition
world adversary can fully learn the functionality. used in [19]. (3) We show an impossibility result for generic
In short, it demonstrates several separations: (1) It sepa- one-time randomized programs in the plain model; (4) We
rates a single-physical-query unlearnable function from single- give constructions for PRFs and NIZKs in the plain model
effective-query unlearnable: one can fully recover the func- whereas all constructions in [19] are in the oracle model; (5)
tionality once having a single effective query oracle, but one We also show a generic way to lift a plain signature schemes
cannot output two input-output pairs when having only one satisfying a security notion called blind unforgeability to one-
physical query. (2) It is a single-physical-query unlearnable time signature tokens. (5) On the other hand, the oracle con-
function that cannot be securely one-time programmed with struction in [19] is more generic by using any signature token
respect to the operational definition where we require the ad- state as the quantum part of the one-time program, whereas
versary to output two different correct evaluations. (3) Hav- we use the subspace state (namely, the signature token state
ing high min-entropy output distributions is not sufficient to in [8]).
prevent the adversary from evaluating twice (i.e. "meaning-
fully" one-time programmed). We would also like to make
a note that this result does not contradict our result on the
single-effective-query unlearnable families of functions men- One-Time Programs. One-time programs were first proposed
tioned in the full version because it is not truly random or by Goldwasser, Kalai, and Rothblum [16] and further studied
pairwise-independent. in a number of followup works [4, 17, 18]. Although these are
Now consider the following circuit. An adversary receives impossible in the plain model, a number of alternative mod-
an oracle-based one-time program and a simulator gets only els have been proposed to enable them, ranging from hard-
one (physical) query to the functionality’s oracle. Both are re- ware assumptions to protein sequencing. Broadbent, Gutoski,
quired to output a piece of classical information to a distin- and Stebila [11] asked the question of whether quantum me-
guisher. chanics can act as a stand-in for hardware assumptions. How-
Let 𝑎 be a uniformly random string in {0, 1}𝑛 . Let 𝑘 be a ran- ever, they found that quantum one-time programs are only
dom PRF key. The following PRF𝑘 (·) maps {0, 1}2𝑛 → {0, 1}2𝑛 . possible for “trivial” functions, which can be learned in a sin-
Let our circuit be the following: gle query, and are generally impossible for deterministic clas-
sical functions. A pair of later works circumvented the im-
possibility by allowing the program to output an incorrect
answer with some probability [23, 24]. Although their results


 (𝑎, PRF𝑘 (0∥𝑟 )) if 𝑥 = 0, are quite interesting, they do not give formal security defini-


𝑓𝑎,𝑘 (𝑥; 𝑟 ) = (𝑘, PRF𝑘 (𝑎∥𝑟 )) if 𝑥 = 𝑎, (1) tions for their scheme, and seem to assume a weaker adver-
sarial model where the evaluator must make many intermedi-

 (0, PRF𝑘 (𝑥 ∥𝑟 )) otherwise.

ate physical measurements in an online manner. In contrast,

we present a formal treatment with an adversary who may
When A is given an actual program, even using an oracle- perform arbitrary quantum computations on the one time
aided circuit, A can do the following: evaluate the program program as a whole.
on input 0 (and some randomness 𝑟 it cannot control) to get [12] develops a first quantum one-time program for clas-
output (𝑎, PRF𝑘 (0∥𝑟 )); but instead of measuring the entire out- sical message-authentication codes, assuming stateless classi-
put, only measure the first 𝑛-bits to get 𝑎 with probability cal hardware tokens.
1; evaluate the program again on 𝑎 and some 𝑟 ′ to obtain Besides, [22] studied security of classical one-time memory
(𝑘, PRF𝑘 (𝑎|𝑟 ′ )). Now it can reconstruct the classical descrip- under quantum superposition attacks. [21] builds quantum
tion of the entire circuit using 𝑎 and 𝑘. one-time memory with quantum random oracle in the depth-
But when given only a single physical query, we can re- bounded adversary model, where the honest party only needs
move the information of 𝑘 using [9] argument since for a a short-term quantum memory but the adversary, which at-
random 𝑘, no adversary should have non-negligible query tempts to maintain a quantum memory for a longer term can-
weight on 𝑘 with just one single query. not perform attacks due to bounded quantum depth.
STOC ’25, June 23–27, 2025, Prague, Czechia Gupte, Liu, Raizes, Roberts, Vaikuntanathan

Signature Tokens. Signature tokens are a special case of one- 308–326. https://doi.org/10.1007/978-3-642-11799-2_19
time programs that allow the evaluator to sign a single mes- [19] Sam Gunn and Ramis Movassagh. 2024. Quantum One-Time Protection
of any Randomized Algorithm. private communication (2024).
sage, and no more. They were proposed by Ben-David and [20] Satoshi Hada. 2000. Zero-Knowledge and Code Obfuscation. In ASI-
Sattath [8] in the oracle model and subsequently generalized ACRYPT 2000 (LNCS, Vol. 1976), Tatsuaki Okamoto (Ed.). Springer, Berlin,
Heidelberg, 443–457. https://doi.org/10.1007/3-540-44448-3_34
to the plain model using indistinguishability obfuscation [14]. [21] Qipeng Liu. 2023. Depth-Bounded Quantum Cryptography with Appli-
Both of these works consider a very specific form of one-time cations to One-Time Memory and More.. In 14th Innovations in Theoretical
security: an adversarial evaluator should not be able to out- Computer Science Conference (ITCS 2023).
[22] Qipeng Liu, Amit Sahai, and Mark Zhandry. 2020. Quantum immune
put two (whole) valid signatures. one-time memories. Cryptology ePrint Archive (2020).
[23] Marie-Christine Roehsner, Joshua A. Kettlewell, Tiago B. Batalhão,
Joseph F. Fitzsimons, and Philip Walther. 2018. Quantum advantage for
References probabilistic one-time programs. Nature Communications 9, 1 (06 Dec 2018),
[1] Scott Aaronson. 2004. Limitations of quantum advice and one-way com- 5225. https://doi.org/10.1038/s41467-018-07591-2
munication. In Proceedings. 19th IEEE Annual Conference on Computational [24] Marie-Christine Roehsner, Joshua A. Kettlewell, Joseph Fitzsimons, and
Complexity, 2004. IEEE, 320–332. Philip Walther. 2021. Probabilistic one-time programs using quantum
[2] Scott Aaronson and Paul Christiano. 2012. Quantum money from hid- entanglement. npj Quantum Information 7, 1 (15 Jun 2021), 98. https:
den subspaces. In Proceedings of the forty-fourth annual ACM symposium on //doi.org/10.1038/s41534-021-00435-w
Theory of computing. ACM, 41–60. [25] Amit Sahai and Brent Waters. 2014. How to use indistinguishability ob-
[3] Gorjan Alagic, Zvika Brakerski, Yfke Dulek, and Christian Schaffner. 2020. fuscation: deniable encryption, and more. In Proceedings of the forty-sixth
Impossibility of Quantum Virtual Black-Box Obfuscation of Classical Cir- annual ACM symposium on Theory of computing. 475–484.
cuits. arXiv:2005.06432 [quant-ph] [26] Andreas Winter. 1999. Coding theorem and strong converse for quantum
[4] Ghada Almashaqbeh, Ran Canetti, Yaniv Erlich, Jonathan Gershoni, Tal channels. IEEE Transactions on Information Theory 45, 7 (1999), 2481–2485.
Malkin, Itsik Pe’er, Anna Roitburd-Berman, and Eran Tromer. 2022. Un- [27] W. K. Wootters and W. H. Zurek. 1982. A single quantum cannot be cloned.
clonable Polymers and Their Cryptographic Applications. In EURO- Nature 299, 5886 (Oct. 1982), 802–803. https://doi.org/10.1038/299802a0
CRYPT 2022, Part I (LNCS, Vol. 13275), Orr Dunkelman and Stefan Dziem- [28] Mark Zhandry. 2019. How to Record Quantum Queries, and Applica-
bowski (Eds.). Springer, Cham, 759–789. https://doi.org/10.1007/978-3-031- tions to Quantum Indifferentiability. In Advances in Cryptology – CRYPTO
06944-4_26 2019, Alexandra Boldyreva and Daniele Micciancio (Eds.). Springer Inter-
[5] Prabhanjan Ananth and Rolando L. La Placa. 2021. Secure Software Leas- national Publishing, Cham, 239–268.
ing. Springer-Verlag.
[6] Boaz Barak, Oded Goldreich, Rusell Impagliazzo, Steven Rudich, Amit Received 2024-11-04; accepted 2025-02-01
Sahai, Salil Vadhan, and Ke Yang. 2001. On the (im) possibility of obfus-
cating programs. In Annual International Cryptology Conference. Springer,
1–18.
[7] James Bartusek, Fuyuki Kitagawa, Ryo Nishimaki, and Takashi Ya-
makawa. 2023. Obfuscation of pseudo-deterministic quantum circuits.
In Proceedings of the 55th Annual ACM Symposium on Theory of Computing.
1567–1578.
[8] Shalev Ben-David and Or Sattath. 2023. Quantum tokens for digital sig-
natures. Quantum 7 (2023), 901.
[9] Charles H Bennett, Ethan Bernstein, Gilles Brassard, and Umesh Vazirani.
1997. Strengths and weaknesses of quantum computing. SIAM journal on
Computing 26, 5 (1997), 1510–1523.
[10] Dan Boneh, Sam Kim, and David J Wu. 2017. Constrained keys for in-
vertible pseudorandom functions. In Theory of Cryptography Conference.
Springer, 237–263.
[11] Anne Broadbent, Gus Gutoski, and Douglas Stebila. 2013. Quantum one-
time programs. In Annual Cryptology Conference. Springer, 344–360.
[12] Kai-Min Chung, Marios Georgiou, Ching-Yi Lai, and Vassilis Zikas. 2019.
Cryptography with disposable backdoors. Cryptography 3, 3 (2019), 22.
[13] Andrea Coladangelo, Jiahui Liu, Qipeng Liu, and Mark Zhandry. 2021.
Hidden cosets and applications to unclonable cryptography. In Advances
in Cryptology–CRYPTO 2021: 41st Annual International Cryptology Confer-
ence, CRYPTO 2021, Virtual Event, August 16–20, 2021, Proceedings, Part I
41. Springer, 556–584.
[14] Andrea Coladangelo, Jiahui Liu, Qipeng Liu, and Mark Zhandry.
2021. Hidden Cosets and Applications to Unclonable Cryptography. In
CRYPTO 2021, Part I (LNCS, Vol. 12825), Tal Malkin and Chris Peikert
(Eds.). Springer, Cham, Virtual Event, 556–584. https://doi.org/10.1007/978-
3-030-84242-0_20
[15] Shafi Goldwasser, Yael Tauman Kalai, and Guy N Rothblum. 2008. One-
time programs. In Advances in Cryptology–CRYPTO 2008: 28th Annual In-
ternational Cryptology Conference, Santa Barbara, CA, USA, August 17-21,
2008. Proceedings 28. Springer, 39–56.
[16] Shafi Goldwasser, Yael Tauman Kalai, and Guy N. Rothblum. 2008. One-
Time Programs. In CRYPTO 2008 (LNCS, Vol. 5157), David Wagner (Ed.).
Springer, Berlin, Heidelberg, 39–56. https://doi.org/10.1007/978-3-540-85174-
5_3
[17] Rishab Goyal and Vipul Goyal. 2017. Overcoming Cryptographic Impos-
sibility Results Using Blockchains. In TCC 2017, Part I (LNCS, Vol. 10677),
Yael Kalai and Leonid Reyzin (Eds.). Springer, Cham, 529–561. https:
//doi.org/10.1007/978-3-319-70500-2_18
[18] Vipul Goyal, Yuval Ishai, Amit Sahai, Ramarathnam Venkatesan, and Ak-
shay Wadia. 2010. Founding Cryptography on Tamper-Proof Hardware
Tokens. In Theory of Cryptography, 7th Theory of Cryptography Conference,
TCC 2010, Zurich, Switzerland, February 9-11, 2010. Proceedings (Lecture
Notes in Computer Science, Vol. 5978), Daniele Micciancio (Ed.). Springer,