with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis Ansis Rosmanis Estonian Theory Days WORK IN PROGRESS Noninteractive ZK with Quantum Random Oracles ID: 816804
Download The PPT/PDF document "Non-interactive zero-knowledge" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Non-interactive zero-knowledgewith quantum random oracles
Dominique UnruhUniversity of TartuWith Andris Ambainis, Ansis Rosmanis
Estonian Theory Days
WORK IN PROGRESS!
Slide2Non-interactive ZK with Quantum Random Oracles2
ClassicalCrypto(Quick intro.)
Slide3Non-interactive zero-knowledge (NIZK)Non-interactive ZK with Quantum Random Oracles
3Statement x (math. fact)Witness
w (proof of fact)
P
ZK
proof of
x
Zero-knowledge
Proof leaks nothing
about witness
Soundness
Hard to prove
wrong statements
Uses:
Proving honest behavior, signatures, …
Slide4Towards efficient NIZK: Sigma protocolsNon-interactive ZK with Quantum Random Oracles
commitment
challenge
response
Prover
“Special soundness”:
Two different responses
allow to compute witness
⇒ For wrong statement,
prover
fails
w.h.p
.
Verifier
Slide5Toward efficient NIZK: Random OraclesModel hash function as random function H
Many useful proof techniques5
H
x
H(
x
)
Learn queries
Insert “special” answers
(“programming”)
Rewind and
re-answer
Slide6NIZK with random oraclesNon-interactive ZK with Quantum Random Oracles
6Fiat-ShamirFischlin
com
chal
resp
Prover
H(com)
NIZK consists of
com,chal,resp
Prover
can’t cheat:
H is like a verifier
Security-proof:
Rewinding
Fix
com
Try different
chal
,
resp
until
H(
chal,resp
)=xxx000
Proof :=
com,chal,resp
Need to query several
chal,resp
Implies existence
of witness
Slide7Non-interactive ZK with Quantum Random Oracles7
Quantum!Classical security easy.
But if adversary has aquantum computer?
Slide8The “pick-one trick” (simplified)Given a set
Scan encode it asa quantum state |Ψ〉s.t. for any set Zyou find one
x1∈
S
∩
Z
but not two
x
1
,x
2
∈
S
Non-interactive ZK with Quantum Random Oracles
8
S
Z
x
1
x
2
Slide9Attacking FischlinNon-interactive ZK with Quantum Random Oracles
9Fix comTry different chal,
resp until H(chal,resp)=xxx000Proof = com,chal,resp
S={
chal,resp
}
Z={H(·)=xxx000}
Valid fake NIZK
Without knowing
witness!
(Because we have
only one S-element)
[Fiat-Shamir attacked similarly]
Slide10How does “one-pick trick” work?Grover: Quantum algorithm for searching
Observation:First step of Grover produces a stateencoding the search spaceThis state (plus modified Grover)implements “one-pick trick”Hard part: Prove “can’t find two x1
,x2∈
S
”
Non-interactive ZK with Quantum Random Oracles
10
Slide11No efficient quantum NIZK?
Non-interactive ZK with Quantum Random Oracles11
All random oracle NIZK
broken?
No: under extra conditions,
Fiat-Shamir and
Fischlin
might
work (
no proof idea
)
We found a provable new construction
(less efficient)
Slide12I thank for your
attention
This research was supported by European Social
Fund’s Doctoral
Studies
and
Internationalisation
Programme
DoRa