Zero-Knowledge Against Quantum Attacks

Similar documents
Zero-Knowledge Against Quantum Attacks

Limits on the power of quantum statistical zero-knowledge

Lecture 18: Zero-Knowledge Proofs

1 Recap: Interactive Proofs

arxiv: v1 [quant-ph] 11 Apr 2016

General Properties of Quantum Zero-Knowledge Proofs

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 9

6.896 Quantum Complexity Theory 30 October Lecture 17

Notes on Complexity Theory Last updated: November, Lecture 10

How many rounds can Random Selection handle?

Lecture 3: Interactive Proofs and Zero-Knowledge

Lecture 15 - Zero Knowledge Proofs

Lecture Notes 20: Zero-Knowledge Proofs

Lecture 10: Zero-Knowledge Proofs

QUANTUM ARTHUR MERLIN GAMES

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Classical Verification of Quantum Computations

Zero-Knowledge Proofs and Protocols

Lecture 3,4: Universal Composability

Quantum-Secure Coin-Flipping and Applications

A Framework for Non-Interactive Instance-Dependent Commitment Schemes (NIC)

CMSC 858K Introduction to Secure Computation October 18, Lecture 19

Notes for Lecture 27

Lecture 22: Quantum computational complexity

Round-Efficient Multi-party Computation with a Dishonest Majority

Augmented Black-Box Simulation and Zero Knowledge Argument for NP

6.896 Quantum Complexity Theory November 4th, Lecture 18

Classical Verification of Quantum Computations

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

arxiv:cs/ v1 [cs.cc] 15 Jun 2005

Lecture 21: Quantum communication complexity

Round-Optimal Fully Black-Box Zero-Knowledge Arguments from One-Way Permutations

Introduction to Modern Cryptography. Benny Chor

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

Lecture Notes 17. Randomness: The verifier can toss coins and is allowed to err with some (small) probability if it is unlucky in its coin tosses.

ON PARALLEL COMPOSITION OF ZERO-KNOWLEDGE PROOFS WITH BLACK-BOX QUANTUM SIMULATORS

On the query complexity of counterfeiting quantum money

CPSC 467: Cryptography and Computer Security

Commitment Schemes and Zero-Knowledge Protocols (2011)

Lecture 12: Interactive Proofs

Lecture 14: Quantum information revisited

Notes for Lecture 25

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

Session 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University

Tsuyoshi Ito (McGill U) Hirotada Kobayashi (NII & JST) Keiji Matsumoto (NII & JST)

Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension

Lecture 26: QIP and QMIP

From Secure MPC to Efficient Zero-Knowledge

Zero-Knowledge Proofs 1

Statistically Secure Sigma Protocols with Abort

Constant-round Leakage-resilient Zero-knowledge from Collision Resistance *

Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10

Lecture: Quantum Information

An Epistemic Characterization of Zero Knowledge

Great Theoretical Ideas in Computer Science

Impossibility and Feasibility Results for Zero Knowledge with Public Keys

Zero Knowledge and Soundness are Symmetric

On Achieving the Best of Both Worlds in Secure Multiparty Computation

An Epistemic Characterization of Zero Knowledge

How to Go Beyond the Black-Box Simulation Barrier

Lecture 19: Interactive Proofs and the PCP Theorem

Notes on Zero Knowledge

Quantum Simultaneous Contract Signing

Inaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions

Lecture 3: Superdense coding, quantum circuits, and partial measurements

CS120, Quantum Cryptography, Fall 2016

ON DEFINING PROOFS OF KNOWLEDGE IN THE BARE PUBLIC-KEY MODEL

Lecture 14: Secure Multiparty Computation

6.897: Advanced Topics in Cryptography. Lecturer: Ran Canetti

Interactive and Noninteractive Zero Knowledge are Equivalent in the Help Model

How to Go Beyond the Black-Box Simulation Barrier

arxiv: v7 [quant-ph] 20 Mar 2017

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

Spatial Isolation Implies Zero Knowledge Even in a Quantum World

Quantum Information and the PCP Theorem

Quantum information and quantum mechanics: fundamental issues. John Preskill, Caltech 23 February

A Full Characterization of Functions that Imply Fair Coin Tossing and Ramifications to Fairness

Quantum Proofs of Knowledge

CSC 2429 Approaches to the P versus NP Question. Lecture #12: April 2, 2014

Fang Song. Joint work with Sean Hallgren and Adam Smith. Computer Science and Engineering Penn State University

Interactive and Noninteractive Zero Knowledge Coincide in the Help Model

Concurrent Non-malleable Commitments from any One-way Function

CS286.2 Lecture 8: A variant of QPCP for multiplayer entangled games

Homework 3 Solutions

Fourier analysis of boolean functions in quantum computation

2 Natural Proofs: a barrier for proving circuit lower bounds

Compression and entanglement, entanglement transformations

Lecture 1: Overview of quantum information

Parallel Repetition of Zero-Knowledge Proofs and the Possibility of Basing Cryptography on NP-Hardness

Statistical WI (and more) in Two Messages

Lecture 22: Oct 29, Interactive proof for graph non-isomorphism

A survey on quantum-secure cryptographic systems

Constant-Round Non-Malleable Commitments from Any One-Way Function

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

5th March Unconditional Security of Quantum Key Distribution With Practical Devices. Hermen Jan Hupkes

On parallel composition of zero-knowledge proofs with black-box quantum simulators

arxiv: v2 [quant-ph] 16 Nov 2018

Complete Fairness in Secure Two-Party Computation

Transcription:

Zero-Knowledge Against Quantum Attacks John Watrous Department of Computer Science University of Calgary January 16, 2006 John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 1 / 22

Zero-Knowledge Proof Systems [GOLDWASSER, MICALI & RACKOFF, 1985] Assume that a promise problem A = (A yes, A no ) has been fixed. A zero-knowledge proof system for the problem A is a pair (V, P) of interacting parties; a (computationally bounded) verifier and a prover. Interaction: Both parties receive an input string x A yes A no, exchange messages with one another, and finally the verifier V produces an output string denoted (V, P)(x). Conditions: Completeness: If x A yes, then it must be the case that (V, P)(x) = 1 (accept) with high probability. Soundness: If x A no, then it must be the case that (V, P )(x) = 0 (reject) with high probability for every possible cheating prover P. Zero-knowledge: If x A yes, then no cheating verifier V can extract knowledge from an interaction with P. John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 2 / 22

What does it mean to extract knowledge? The notion of knowledge is a complexity-theoretic notion, and is different from information; it is formalized by means of the simulator paradigm. Informally: a verifier V learns nothing (i.e., fails to extract knowledge) from P if there exists a polynomial-time simulator S that produces an output that is indistinguishable from the output V would produce when interacting with P on any x A yes : x x V P S (V, P)(x) S(x) John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 3 / 22

Auxiliary inputs The previous informal definition is not quite strict enough to capture the notion of zero-knowledge, and gives rise to a class of protocols lacking certain desirable properties... We need to allow the cheating verifier V (as well as the simulator S) to take an auxiliary input string w. The outputs of these two processes should be indistinguishable provided x A yes : w x w x V P S (V (w), P)(x) S(x, w) John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 4 / 22

Auxiliary inputs This auxiliary input definition captures the idea that zero-knowledge proofs should not increase knowledge, and is closed under sequential composition. Definition of Zero-Knowledge (classical) An interactive proof system (P, V) for a given problem A = (A yes, A no ) is zero-knowledge if, for every polynomial-time verifier V there exists a polynomial-time simulator S such that, for every w and x A yes, (V (w), P)(x) and S(x, w) are indistinguishable. [GOLDWASSER, MICALI & RACKOFF, 1989]. Different notions of indistinguishability give rise to different variants of zero-knowledge, such as statistical and computational zero-knowledge. John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 5 / 22

Quantum version of the definition Suppose that some verifier V tries to use quantum information to extract knowledge from P. (Note that the prover P is still classical, so the input x and any information exchanged between V and P must be classical.) The interaction between V and P on input x induces some admissible mapping on the auxiliary input: ρ x V P Φ x (ρ) John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 6 / 22

Quantum version of the definition If P is zero-knowledge even against a verifier V that uses quantum information, then there should exist a simulator S that performs an admissible mapping Ψ x on the auxiliary input that is indistinguishable from Φ x (when x A yes ): ρ x ρ x V P S Φ x (ρ) Ψ x (ρ) John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 7 / 22

Problem with the quantum definition? These definitions are fairly straightforward... but have been considered problematic for several years. (The problem was apparently first identified by Jeroen van de Graaf in his 1997 PhD thesis.) The problem: No nontrivial protocols were previously shown to be zero-knowledge with respect to these definitions, even protocols already proved zero-knowledge in the classical setting. In order to describe the problem, it will be helpful to consider a simple and well-known zero-knowledge proof system for the Graph Isomorphism problem: Input: Two graphs G 0 and G 1 (given by adjacency matrices). Yes: G 0 and G 1 are isomorphic (G 0 = G1 ). No: G 0 and G 1 are not isomorphic (G 0 = G1 ). John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 8 / 22

A zero-knowledge proof system for Graph Isomorphism The following protocol (described for honest parties) is a zero-knowledge protocol for Graph Isomorphism [GOLDREICH, MICALI & WIDGERSON, 1991]. The GMW Graph Isomorphism Protocol Assume the input is a pair (G 0, G 1 ) of n-vertex graphs. Let σ S n be a permutation satisfying σ(g 1 ) = G 0 if G 0 = G1, and let σ be arbitrary otherwise. Prover s step 1: Choose π S n uniformly at random and send H = π(g 0 ) to the verifier. Verifier s step 1: Choose a {0, 1} randomly and send a to the prover. (Implicit: challenge prover to show H = G a.) Prover s step 2: Let τ = πσ a and send τ to the verifier. Verifier s step 2: Accept if τ(g a ) = H, reject otherwise. Sequential repetition reduces soundness error... John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 9 / 22

Zero-knowledge property for the GMW protocol The completeness and soundness properties are straightforward. Let us consider the zero-knowledge property... Consider a classical cheating verifier V : Verifier s step 1: Perform some arbitrary polynomial-time computation on (G 0, G 1 ), auxiliary input w, and H to obtain a {0, 1}. Send a to P. Verifier s step 2: Perform some arbitrary polynomial-time computation on (G 0, G 1 ), auxiliary input w, H, and τ to produce output. Simulator for V : 1. Choose b {0, 1} and τ S n uniformly, and let H = τ(g b ). 2. Simulate whatever V does given prover message H. Let a denote the resulting message back to the prover. 3. If a b then rewind: go back to step 1 and try again. 4. Output whatever V would after receiving τ. John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 10 / 22

Simulator for a cheating quantum verifier? Suppose that we have a cheating quantum verifier V that starts the protocol with an auxiliary quantum register W. Verifier s step 1: Perform some arbitrary polynomial-time quantum computation on (G 0, G 1 ), auxiliary input register W, and H to obtain a {0, 1}. Send a to P. For example: let a be the outcome of some binary-valued projective measurement {Π H 0, ΠH 1 } of W that depends on H. Verifier s step 2: Perform some arbitrary polynomial-time quantum computation to produce an output. How can we simulate such a verifier? John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 11 / 22

The no quantum rewinding issue Two principles are working against us: The no cloning theorem prevents making a copy of the auxiliary input register s state. Measurements are irreversible. Suppose that we randomly choose b and τ, and let H = τ(g b ) as for our simulator before. If the simulator guesses incorrectly (meaning a b), then the original state of W may not be recoverable. Rewinding by reversing the unitary transformation induced by [the verifier], or taking snapshots is impossible. But... showing that rewinding by reversing or by taking snapshots is impossible does not show that no other ways to rewind in polynomial time exist. [VAN DE GRAAF, 1997] John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 12 / 22

New results In the remainder of this talk I will argue that the GMW Graph Isomorphism protocol is indeed zero-knowledge against quantum verifiers: For any quantum verifier V, there exists a simulator S that induces precisely the same admissible mapping as the interaction between V and P (on a yes input to the problem). The method gives a way to rewind the simulator, but it requires more than just reversing the verifier s actions. (The entire simulation will be quantum, even though the prover is classical.) The method generalizes to several other protocols (but I will only discuss the Graph Isomorphism example in this talk for simplicity). John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 13 / 22

Assumptions on V Assume V uses three registers: W: stores the auxiliary input. V: represents workspace of arbitrary size. A: single qubit representing the message sent by V. Register W starts in the auxiliary state, and registers V and A are initialized to all zeroes. Assume V operates as follows: For each graph H on n vertices, V has a corresponding unitary transformation V H that acts on (W, V, A). Upon receiving H from P, the V applies V H to (W, V, A), measures A in the standard basis, and sends the result a to P. After P responds with some permutation τ, V simply outputs (W, V, A) along with the prover messages H and τ. John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 14 / 22

Simulator construction The simulator will use registers W, V, and A along with: P 1 : stores the prover s first message. B: stores the simulator s guess b for a. P 2 : stores the prover s second message. R: stores randomness used to generate transcripts. Define a unitary operator V on (W, V, A, P 1 ) that represents a unitary realization of V : V = V H H H. H Define T to be a unitary operation on registers (P 1, B, P 2, R) for which T : 00 0 1 τ(g b ) b τ b, τ. 2n! The operation T produces a superposition over transcripts. b,τ John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 15 / 22

Simulator construction Now define the simulator as follows: Simulator 1. Perform T, followed by V. 2. Perform a measurement {Π 0, Π 1 } whose outcome corresponds to the XOR of A and B (in the computational basis). 3. If the measurement outcome is 1, we need to rewind and try again: Perform V followed by T. Perform a phase flip in case any of the qubits in any of the registers (V, A, P 1, B, P 2, R) is set to 1 (i.e., perform 2 I, where = I W 00 0 00 0.) Perform T followed by V. 4. Output registers (W, V, A, P 1, P 2 ). (Registers B and R are traced out.) John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 16 / 22

Analysis of simulator Assume that the auxiliary input is ψ, and x = (G 0, G 1 ) for G 0 = G1. Let ϕ = ψ 00 0 be the state of all registers given this input. The simulator performs T, then V, then measures w.r.t. {Π 0, Π 1 }. Assuming G 0 = G1, the outcome will always be uniformly distributed. First, suppose that the measurement {Π 0, Π 1 } gives outcome 0. The resulting state of all registers is σ 0 = 2Π 0 VT ϕ. This is the target state: it represents a successful simulation because tr B,R σ 0 σ 0 = Φ( ψ ψ ). (Nothing is surprising here... the simulator has been lucky and didn t need to rewind.) John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 17 / 22

Analysis of simulator Suppose on the other hand that the measurement outcome was 1. The resulting state is σ 1 = 2Π 1 VT ϕ. Time to rewind and try again... Performing the rewind and try again procedure results in the state Claim VT(2 I)T V σ 1. VT(2 I)T V σ 1 = σ 0 (the target state). Note: this would not happen for arbitrary choices of ϕ, V, T, Π 0, Π 1, etc... the claim relies on the fact that the measurement {Π 0, Π 1 } gives outcome 0 and 1 with equal probability for all choices of ψ. John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 18 / 22

Proof of claim The fact that the measurement {Π 0, Π 1 } gives outcomes 0 and 1 with equal probability for all choice of ψ implies T V Π 0 VT = T V Π 1 VT = 1 2. Therefore σ 0 VT(2 I)T V σ 1 =2 ϕ T V Π 0 VT(2 I)T V Π 1 VT ϕ =4 ϕ T V Π 0 VT T V Π 1 VT ϕ 2 ϕ T V Π 0 VTT V Π 1 VT ϕ =4 ϕ T V Π 0 VT T V Π 1 VT ϕ = ϕ ϕ =1, so VT(2 I)T V σ 1 = σ 0. John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 19 / 22

Analysis of simulator This establishes that the admissible map Ψ agrees with the map Φ corresponding to the actual interaction on all pure state auxiliary inputs: for all ψ. Ψ( ψ ψ ) = Φ( ψ ψ ) Admissible maps are completely determined by their actions on pure state inputs, however, so Ψ = Φ; the simulator agrees precisely with the actual interaction on every possible state of the auxiliary input register (including the possibility it is entangled with another register). John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 20 / 22

Other protocols The simulation method just described can be adapted to prove several other protocols are zero-knowledge against quantum attacks, including: Quantum protocols for any problem having an honest verifier quantum statistical zero-knowledge proof system: QSZK = QSZK HV. The Goldreich-Micali-Wigderson Graph 3-Coloring protocol assuming unconditionally binding and quantum computationally concealing bit commitments. (See [ADCOCK & CLEVE, 2002].) Presumably several other proof systems... Adapting the simulator to other protocols may require iterating the rewind and try again process. John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 21 / 22

Future work/open questions 1. Find further applications and generalizations of the method. 2. Identify limitations of the method. 3. Identify good candidates for quantum one-way permutations. John Watrous (University of Calgary) Zero-Knowledge Against Quantum Attacks QIP 2006 22 / 22

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback