Tel Aviv University Nir Bitansky Omri Shmueli ZeroKnowledge Protocols Goldwasser Micali Rackoff 85 AcceptReject This work ZK against quantum attacks ID: 1043908
Download Presentation The PPT/PDF document "Post-quantum Zero Knowledge in Constant ..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
1. Post-quantum Zero Knowledge in Constant RoundsTel Aviv UniversityNir BitanskyOmri Shmueli
2. Zero-Knowledge Protocols [Goldwasser, Micali, Rackoff 85] ...Accept/Reject
3. This work:ZK against quantum attacks
4. ... Accept ZK against quantum attacksProtocols are classical
5. ... Reject ZK against quantum attacksSoundness against efficient quantum provers
6. ... efficient quantum , efficient quantum , ZK against quantum attacks
7. The Round Complexity of ZK SecurityRoundsClassicalQuantumPolynomialGMW86Wat05ConstantFS89, GK95?Note: Unknown even for quantum protocols.
8. ResultsAssuming quantum FHE quantum LWE,Theorem: There exist constant-round QZK arguments for NP.Theorem: There exist quantumly-extractable classical commitments.Corollary [+BJSW16]: There exist constant-round QZK quantum arguments for QMA.
9. Main Focus and Challenges
10. Main focus: Extractable CommitmentsCommitment scheme ZK protocol, specifically:Extractable commitments constant-round ZK [Rosen04].Quantumly extractable commitment post-quantum constant-round ZK. Goal: quantumly-extractable commitment
11. Quantumly-Extractable (Classical) CommitmentsProtocol: (, ) , in constant rounds. ...
12. Quantumly-Extractable (Classical) Commitments(Perfect) Binding.Quantum Computational Hiding.
13. ... Quantumly-Extractable (Classical) Commitments efficient quantum , efficient quantum ,
14. Quantumly-Extractable (Classical) Commitments... efficient quantum , efficient quantum ,
15. Traditional Extraction Techniques
16. Inner state Traditional Extraction TechniquesThe extractor copies the inner state.
17. Inner state Traditional Extraction Techniques1The extractor copies the inner state.
18. Inner state 2continues interaction to obtain some sensitive information .. Traditional Extraction Techniques
19. Inner state 3Using the copy from before, “rewinds” . Traditional Extraction Techniques
20. Inner state 4Uses to extract more sensitive information. Traditional Extraction Techniques
21. The previous extraction strategy fails in the quantum setting.The gap from classical techniques: Cloning
22. Inner state The gap from classical techniques: CloningNo Cloning Theorem
23. Inner state The gap from classical techniques: Cloning
24. Inner state The gap from classical techniques: Cloning Inner state measures toget
25. Traditional extractors are black-box and based only on rewinding cloning.Non-black-box [Barak-01]: Use the circuit to do more then rewinding. The gap from classical techniques: Cloning
26. So, what about non-BB techniques?Don’t work, existing techniques either,Use cloning.Use tools not known for quantum computations (e.g. universal arguments).Question: Can we use the circuit of the sender to extract without cloning?The gap from classical techniques: Cloning
27. Our Extractable Commitment
28. Tools: Quantum Fully-Homomorphic Encryption (QFHE) [Mahadev18, Brakerski18](QHE.Keygen, QHE.Enc, QHE.Dec, QHE.Eval) .FHE that can evaluate quantum circuits.
29. CC circuit: Tools: Compute-and-Compare (CC) Obfuscation[Wichs-Zirdelis-17, Goyal-Koppula-Waters-17, Goyal-Koppula-Vusirikala-Waters-19]Obf : Obf() .Correctness: . Security: For a random , hides .
30. Simplification: Explainable Adversaries: Messages can always be explained: consistent with transcript.Finding may be hard.Can abort.Captures the essence can be compiled to malicious [Bitansky-Khurana-Paneth-19].
31. 1st Try : No-Cloning Extraction Inspired by[Barak-Goldreich-Impagliazzo-Rudich-Sahai-Vadhan-Yang-01, Bitansky-Paneth-15, Bitansky-Khurana-Paneth-19]
32. If send , QHE.keygen Obf(, , ()), = QHE.Dec(, ) Binding: fixes . 1st Try : No-Cloning Extraction QHE.Enc(pk, ),
33. If send , QHE.keygen Obf(, , ()), = QHE.Dec(, ) 1st Try : No-Cloning Extraction QHE.Enc(pk, ), Hiding: (1) is random thus hides , . (2) is hidden by , hard to guess it and get .
34. If send , QHE.keygen Obf(, , ()), = QHE.Dec(, ) 1st Try : No-Cloning Extraction QHE.Enc(pk, ), Extraction?
35. pk, , 1st Try : No-Cloning ExtractionGoal: Get an encryption of . Inner state
36. pk, , 1st Try : No-Cloning ExtractionObservation 1: Under the encryption, have Inner state
37. pk, , 1st Try : No-Cloning Extraction Inner state
38. pk, , 1st Try : No-Cloning ExtractionObservation 2: returns for Inner state
39. pk, , 1st Try : No-Cloning ExtractionCan we get an encrypted ? Yes, using the circuit . Inner state
40. pk, , Inner state 1st Try : No-Cloning Extraction QHE.Enc(pk, )
41. pk, , Inner state 1st Try : No-Cloning Extraction This is exactly an input to !
42. pk, , 1st Try : No-Cloning ExtractionQHE.Eval( , (, ) ) Inner state
43. 1st Try : No-Cloning Extraction2. QHE.Dec(sk, ) 1. (, sk) = () Recall, inner state still under encryption. Done?
44. Problem: view is easy to distinguish from real. 1st Try : No-Cloning Extraction , , We shouldn’t let know what was sent.Use two layers of homomorphic encryption.
45. Tools: Circuit-Private FHE (SFE)(SFE.Keygen, SFE.Enc, SFE.Dec, SFE.Eval) : FHE + circuit privacy.Circuit-Privacy: Ciphertext ct’SFE.Eval(C, ct) hides the circuit C.
46. , QHE.keygen QHE.Enc(pk, ), 2nd Try : No-Cloning ExtractionSFE.Enc() SFE.Eval(, )
47. pk, , Inner state 2nd Try : No-Cloning Extraction
48. pk, , Inner state 2nd Try : No-Cloning ExtractionThis is not an input to …
49. 2nd Try : No-Cloning ExtractionHomomorphically evaluate the circuit:Input : 1. SFE.Enc() .2. .3. SFE.Dec() .
50. pk, , Inner state 2nd Try : No-Cloning Extraction
51. pk, , Inner state 2nd Try : No-Cloning Extractionunder SFE Encrypt with SFE.
52. pk, , Inner state under SFE2nd Try : No-Cloning Extraction Execute .
53. pk, , Inner state under SFE2nd Try : No-Cloning Extraction Decrypt to get .
54. The scheme is extractable.The scheme is binding.What about hiding?2nd Try : No-Cloning Extraction
55. Problem: MalleabilityAttack: pk , , FHE SFE SFE.Eval(, ) SFE FHE
56. Problem: MalleabilityIn the attack: did not know how to open .“Let it give an extractable commitment to SFE key”? pk , ,
57. Problem: MalleabilityAre we back to square one?Observation 1: Hiding security reductions are existential.Observation 2: Receiver SFE key is independent.
58. pk, , 3rd (and last) Try : No-Cloning ExtractionSFE.Enc() SFE.Eval(, )
59. pk, , 3rd (and last) Try : No-Cloning ExtractionSFE.Enc() SFE.Eval(, ) Com()
60. 3rd (and last) Try : No-Cloning ExtractionCom() 1st message is w.l.o.g. deterministic.Given cheating , consider that has as non-uniform advice.
61. Thanks for listening!
62. Additional Hurdlespk, , Inner state under SFE
63. pk, , Inner state under SFE Additional Hurdles
64. will (abort/not abort)
65. pk, , pk, , SFE.Enc SFE hiding choice of independent of guess.