This work investigates how to achieve the strongest possible security for one-time programs (OTPs) for arbitrary quantum channels without relying on hardware assumptions. To this end, we introduce the notion of a "testable OTP compiler" and propose stateful quantum indistinguishability obfuscation (stateful quantum iO), establishing a theoretical connection between this primitive and the notion of "best-possible" OTP security. Leveraging a generalized single-effective-query (SEQ) security model within the classical oracle framework, we prove the impossibility of a universal best-possible OTP compiler. Nevertheless, we construct an OTP scheme satisfying SEQ security and the first stateful quantum iO scheme, both realized in the classical oracle model, thereby providing new theoretical foundations and a feasible pathway toward quantum one-time programs.

One-time programs (OTPs) aim to let a user evaluate a program on a single input while revealing nothing else. Classical OTPs require hardware assumptions, and even with quantum information, OTPs for deterministic functionalities remain impossible due to gentle-measurement attacks (Broadbent, Gutoski and Stebila, 2013). While recent works achieve positive results for certain randomized functionalities, the fundamental limits and the strongest achievable security notions remain poorly understood. In this paper, we ask for a "best-possible" OTP that achieves the strongest one-time security achievable by any OTP construction. We first show that a generic best-possible one-time compiler cannot exist, even for classical randomized functionalities (assuming lossy encryption schemes exist). Given this impossibility, we introduce a natural subclass of one-time compilers called "testable one-time program" compilers, which output quantum states augmented with reflection oracles for these program states. We show that best-possible testable OTP compilers are achievable by (1) formulating a generalized Single-Effective-Query (SEQ) simulation security notion for quantum channels and show that SEQ security implies best-possible testable one-time security, and (2) constructing SEQ-secure OTPs for all quantum functionalities in the classical oracle model. This yields the first OTP for arbitrary quantum channels beyond classical randomized functionalities. Finally, we propose stateful quantum indistinguishability obfuscation (stateful quantum iO) -- quantum state obfuscation for stateful quantum programs. We show that (1) stateful quantum iO implies best-possible testable OTPs and (2) stateful quantum iO is also achievable in the classical oracle model. These results identify stateful quantum iO as a promising approach towards best-possible testable OTPs.