quantum zeroknowledge proofs Dominique Unruh University of Tartu Quantum FiatShamir Intro Proof systems Quantum NIZK with random oracle 2 P V Statement x Witness w Statement ID: 500800
Download Presentation The PPT/PDF document "Non-interactive" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Non-interactivequantum zero-knowledge proofs
Dominique UnruhUniversity of Tartu
Quantum
“Fiat-Shamir”Slide2
Intro: Proof systemsQuantum NIZK with random oracle
2
P
V
Statement
x
Witness
w
Statement
x
Soundness:
Verifier accepts only true statements
Zero-knowledge:
Verifier learns nothingSlide3
Intro: Proof systemsQuantum NIZK with random oracle
3
Sigma-protocols
P
V
commitment
challenge
response
Specific 3-round proofs
Versatile combiners
Simple to analyze
Weak security
Non-interactive ZK
P
V
proof
Ease of use
Concurrency, offline
Need RO or CRS
Lack of combiners
Specific languagesSlide4
Intro: Best of two worlds
Fiat-Shamir: Convert sigma-proto into NIZK
Ease of use (concurrent, offline)Versatile combinersSimple analysisUses random oracle
Quantum NIZK with random oracle
4
P
V
commitment
challenge
response
P
V
com, H(com),
respSlide5
Intro: Best of two world (ctd.)
Fiat-Shamir also implies:Sigma-proto
signatures (in RO)Fischlin’s scheme:Also: sigma-proto
NIZK (in RO)
No rewinding (online extraction)
Less efficient
Quantum NIZK with random oracle
5Slide6
Post-quantum security
Quantum computersPotential future threatNot there yet,but we need to be prepared
Post-quantum cryptographyClassical crypto,secure against quantum attackIs Fiat-Shamir post-quantum secure?
Quantum NIZK with random oracle
6Slide7
Fiat-Shamir soundness
Fiat-Shamir: Can be seen as:
Rewinding Get two responses“Special soundness” of sigma-proto Compute witness
Quantum NIZK with random oracle
7
P
V
com, H(com),
resp
P
H
com
c
hal
:= H(com)
response
V
Quantum
Superposition
queries
messed-up stateSlide8
Saving (quantum) Fiat-Shamir?Existing quantum rewinding techniques
Watrous / UnruhDo not work with superposition queriesAmbainis
, Rosmanis, Unruh:No relativizing security proofConsequence: Avoid rewinding!
Quantum NIZK with random oracle
8Slide9
NIZK without rewindingFischlin’s
scheme:No rewindingOnline extraction: List of queries Witness
But again: No relativizing security proofList of queries:Not well-defined: need to measure to get them
Disturbs state
Quantum NIZK with random oracle
9Slide10
Quantum online-extraction
Idea:Make RO
invertible(for extractor)
Ensure
:
all
needed
outputs
contained
in proofQuantum NIZK with random oracle
10
P
H
Pro
ver
:
Extractor:
proof
H
-1
witnessSlide11
Protocol construction
Quantum NIZK with random oracle
11
h
ash
invertibly
( )
Hash to get selection what to open
(Fiat-Shamir style)
all this together
is the proof
W.h.p
. at least one
has two valid
Extractor gets them by inverting hash
Two
witness
Slide12
Invertible random oracle
Random functions: not invertibleZhandry: RO
-wise indep. Function
Idea:
Use invertible
-wise
indep
.
function
Problem: None knownSolution: Degree
polynomialsAlmost invertible (
candidates)Good enough
Quantum NIZK with random oracle12Slide13
Final resultTheorem:
If the sigma-protocol has:Honest verifier zero-knowledgeSpecial soundness
Then our protocol is:Zero-knowledgeSimulation-sound online extractable
Quantum NIZK with random oracle
13Slide14
Further resultsStrongly unforgeable
signatures(implied by the NIZK)New results for adaptive programming of quantum random oracleInvertible oracle trick
(also used for variant of Fujisaki-Okamoto)Quantum NIZK with random oracle
14Slide15
Saving Fiat-Shamir?Quantum NIZK with random oracle
15
P
H
V
Superposition queries,
as many as P wants
Zero-knowledge:
yes (same as for our proto)
Soundness:
no [
Ambainis
Rosmanis
U]
Measuring
disturbs state
Hope:
Soundness if underlying sigma-protocol has “strict soundness” / “unique responses”
Slide16
Strict soundnessStrict soundness
: Given com,
chall: at most one possible resp
Helped before, for “proofs of knowledge”
Measuring response not disturbing (much)
Quantum NIZK with random oracle
16
P
H
V
Superposition queries,
as many as P wantsSlide17
Saving Fiat-Shamir now?With strict soundness: no counterexample
Proof still unclear(how to rewinding without disturbing quantum queries)Can be reduced to query-complexity problem
Quantum NIZK with random oracle17Slide18
The query complexity problem
Let
be a quantum circuit,using random oracle
,
implementing a projective
measurement
Game 1:
State
, apply
.
Game 2
:
State
, apply
, apply
.
Show:
Quantum NIZK with random oracle
18Slide19
I thank for your
attention
This research was supported by European Social
Fund’s Doctoral
Studies
and
Internationalisation
Programme
DoRa