Randomized algorithms—such as those in machine learning and generative AI—are vulnerable to reverse engineering and reuse, risking leakage of model logic and training data. Method: This paper proposes the first quantum one-time protection scheme supporting arbitrary black-box randomized classical algorithms, including generative AI models. Its core is a hybrid protocol based on quantum one-time tokens: token size is independent of the protected program; no quantum coherence operations are required; and it is compatible with both NISQ and early fault-tolerant hardware. Contribution/Results: Leveraging min-entropy security analysis, we rigorously prove one-time execution security under high-entropy output conditions. The scheme’s security strength scales flexibly with available quantum resources, enabling the first truly practical, near-term deployable copyright protection framework for “model-as-a-service” (MaaS) deployments.

The meteoric rise in power and popularity of machine learning models dependent on valuable training data has reignited a basic tension between the power of running a program locally and the risk of exposing details of that program to the user. At the same time, fundamental properties of quantum states offer new solutions to data and program security that can require strikingly few quantum resources to exploit, and offer advantages outside of mere computational run time. In this work, we demonstrate such a solution with quantum one-time tokens. A quantum one-time token is a quantum state that permits a certain program to be evaluated exactly once. One-time security guarantees, roughly, that the token cannot be used to evaluate the program more than once. We propose a scheme for building quantum one-time tokens for any randomized classical program, which include generative AI models. We prove that the scheme satisfies an interesting definition of one-time security as long as outputs of the classical algorithm have high enough min-entropy, in a black box model. Importantly, the classical program being protected does not need to be implemented coherently on a quantum computer. In fact, the size and complexity of the quantum one-time token is independent of the program being protected, and additional quantum resources serve only to increase the security of the protocol. Due to this flexibility in adjusting the security, we believe that our proposal is parsimonious enough to serve as a promising candidate for a near-term useful demonstration of quantum computing in either the NISQ or early fault tolerant regime.