Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dominique Unruh Quantum Proofs of Knowledge Dominique Unruh University of Tartu Tartu, April 12, 2012.

Published byLorraine Park Modified over 8 years ago

Similar presentations

Presentation on theme: "Dominique Unruh Quantum Proofs of Knowledge Dominique Unruh University of Tartu Tartu, April 12, 2012."— Presentation transcript:

1 Dominique Unruh Quantum Proofs of Knowledge Dominique Unruh University of Tartu Tartu, April 12, 2012

2 Dominique Unruh Why quantum ZK? Zero-knowledge: Central tool in crypto Exhibits many issues “in the small case” Post-quantum crypto: Classical protocols secure against quantum adversaries If the quantum computer comes… Building blocks in quantum protocols Quantum Proofs of Knowledge2

3 Dominique Unruh Zero-knowledge: how to show? Given only malicious verifier: simulate interaction Quantum case: Rewinding = state copying! Quantum Proofs of Knowledge3 commitment challenge response Guess challenge Retry if wrong Verifier

4 Dominique Unruh Watrous’ quantum rewinding Cannot copy state  have to restore it Allows “oblivious” rewinding: Simulator rewinds, but forgets everything Quantum Proofs of Knowledge4 Sim Measure: success? Sim -1 stuff [Watrous 09]

5 Dominique Unruh Quantum ZK solved? Watrous’ rewinding covers many important ZK proofs: (But not all…) And not: Proofs of knowledge Quantum Proofs of Knowledge5

6 Dominique Unruh Proofs of knowledge Example: Want to prove age (e.g., e-passport) Quantum Proofs of Knowledge6 Prover Verifier I know a government-signature on document stating that I’m ≥ 18

7 Dominique Unruh Proofs of knowledge – definition Quantum Proofs of Knowledge7 If prover is successful: there is an extractor that, given provers state, outputs witness

8 Dominique Unruh Constructing extractors “Special soundness”: Two different responses allow to compute witness E.g., isomorphisms from J to G and H give isomorphis between G and H Quantum Proofs of Knowledge8 commitment challenge 1 response 1 challenge 2 response 2 rewind J GH Prover

9 Dominique Unruh Quantum extractors? Quantum case: Rewinding = copying. Not possible Watrous “oblivious” rewinding does not work: Forgets response 1 Quantum Proofs of Knowledge9 commitment challenge 1 response 1 challenge 2 response 2 rewind Prover

10 Dominique Unruh Canonical extractor 1.Run prover, measure commitment 2.Run prover on “challenge 1”, measure response 1 3.Run inverse prover 4.Run prover on “challenge 2”, measure response 2 Quantum Proofs of Knowledge10 M M M com chal. 1 chal. 2 res 1 res 2

11 Dominique Unruh Canonical extractor (ctd.) Does it work? Measuring “response 1” disturbs state Rewinding fails… Quantum Proofs of Knowledge11 M M M com chal. 1 chal. 2 res 1 res 2

12 Dominique Unruh Making extraction work Thought experiment: “response” was only 1 bit Then: measuring “res 1” disturbs only moderately Extraction would work Quantum Proofs of Knowledge12 M M M com chal. 1 chal. 2 res 1 res 2 moderate disturbance

13 Dominique Unruh Making extraction work (ctd.) Idea: Make “response” effectively be 1 bit “Strict soundness”: For any challenge, exists at most 1 valid response Given strict soundness, canonical extractor works! Quantum Proofs of Knowledge13 M M M com chal. 1 chal. 2 res 1 res 2 moderate disturbance

14 Dominique Unruh Main result Quantum Proofs of Knowledge14

15 Dominique Unruh Achieving strict soundness Graph Isomorphism proof does not have strict soundness – Unless graphs are “rigid” Discrete log proof has Alternative trick (for #challenges poly): – Commit to all responses in advance – Need: “Strict binding” for unique unveil Quantum Proofs of Knowledge15

16 Dominique Unruh Plugging things together Proof system for Hamiltonian cycles Commitments from injective OWFs Quantum Proofs of Knowledge16 Assuming injective quantum OWFs, quantum ZK proofs of knowledge exist for all NP languages Caveat: No candidates for injective OWFs known.

17 Dominique Unruh Future work Generalizations: Computational, more than 3 messages Other rewinding techniques? – Lunemann, Nielsen 11; Hallgren, Smith, Song 11 rewind in coin-toss for CRS Candidates for injective OWFs? Quantum Proofs of Knowledge17

18 Thank you for your attention! This research was supported by European Social Fund’s Doctoral Studies and Internationalisation Programme DoRa

19 Quantum Proofs of Knowledge19

20 Dominique Unruh Zero Knowledge But I don’t want to tell you the proof! Zero Knowledge Proof: Prover cannot prove wrong statement Verifier does not learn anything Prover Verifier Quantum Proofs of Knowledge20

21 Dominique Unruh Quantum Proofs of Knowledge Zero Knowledge Powerful tool Combines privacy + integrity Test-bed for cryptographic techniques The drosophilia of cryptography 21

22 Dominique Unruh Quantum Proofs of Knowledge Zero Knowledge: How? Graphs G and H are isomorphic Permute G Permuted graph J Pick G or H G or H Iso between J and G or J and H Prover Verifier 22

23 Dominique Unruh Quantum Proofs of Knowledge Zero Knowledge: How? Permute G Permuted graph J Pick G or H G or H Iso between J and G or J and H G and H not isomorphic  Prover will get stuck with probability ½ Verifier does not learn anything: Could produce iso and J on his own 23

24 Dominique Unruh Quantum Proofs of Knowledge Zero Knowledge Zero knowledge proofs are possible… …for all statements in NP 24

25 Dominique Unruh Proofs of knowledge – definition Quantum Proofs of Knowledge25 If prover is successful: prover knows witness could output witness there is an extractor that, given provers state, outputs witness

Download ppt "Dominique Unruh Quantum Proofs of Knowledge Dominique Unruh University of Tartu Tartu, April 12, 2012."

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:

A Verifiable Secret Shuffle of Homomorphic Encryptions Jens Groth UCLA On ePrint archive:
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart

Zero Knowledge Proofs(2) Suzanne van Wijk & Maaike Zwart
The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.

The Complexity of Zero-Knowledge Proofs Salil Vadhan Harvard University.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.

Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.

Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.

Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.

On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.

Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.

Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

Similar presentations

Ads by Google