Download presentation

Presentation is loading. Please wait.

Published byIliana Howey Modified over 2 years ago

1
Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian Theory Days WORK IN PROGRESS!

2
Dominique Unruh Non-interactive ZK with Quantum Random Oracles2 Classical Crypto (Quick intro.)

3
Dominique Unruh Non-interactive zero-knowledge (NIZK) Non-interactive ZK with Quantum Random Oracles3 Statement x (math. fact) Witness w (proof of fact) P ZK proof of x Zero-knowledge Proof leaks nothing about witness Soundness Hard to prove wrong statements Uses: Proving honest behavior, signatures, …

4
Dominique Unruh Towards efficient NIZK: Sigma protocols Non-interactive ZK with Quantum Random Oracles commitment challenge response Prover “Special soundness”:Two different responses allow to compute witness ⇒ For wrong statement, prover fails w.h.p. Verifier

5
Dominique Unruh Toward efficient NIZK: Random Oracles Model hash function as random function H Many useful proof techniques 5 H x H(x) Learn queries Insert “special” answers (“programming”) Rewind and re-answer

6
Dominique Unruh NIZK with random oracles Non-interactive ZK with Quantum Random Oracles6 Fiat-Shamir Fischlin com chal resp Prover H(com) NIZK consists of com,chal,resp Prover can’t cheat: H is like a verifier Security-proof: Rewinding Fix com Try different chal, resp until H(chal,resp)=xxx000 Proof := com,chal,resp Need to query several chal,resp Implies existence of witness

7
Dominique Unruh Non-interactive ZK with Quantum Random Oracles7 Quantum! Classical security easy. But if adversary has a quantum computer?

8
Dominique Unruh The “pick-one trick” (simplified) Given a set S can encode it as a quantum state |Ψ 〉 s.t. for any set Z you find one x 1 ∈ S∩Z but not two x 1,x 2 ∈ S Non-interactive ZK with Quantum Random Oracles8 S Z x1x1 x2x2

9
Dominique Unruh Attacking Fischlin Non-interactive ZK with Quantum Random Oracles9 Fix com Try different chal, resp until H(chal,resp)=xxx000 Proof = com,chal,resp S={chal,resp} Z={H(·)=xxx000} Valid fake NIZK Without knowing witness! (Because we have only one S-element) [Fiat-Shamir attacked similarly]

10
Dominique Unruh How does “one-pick trick” work? Grover: Quantum algorithm for searching Observation: – First step of Grover produces a state encoding the search space This state (plus modified Grover) implements “one-pick trick” Hard part: Prove “can’t find two x 1,x 2 ∈ S ” Non-interactive ZK with Quantum Random Oracles10

11
Dominique Unruh No efficient quantum NIZK? Non-interactive ZK with Quantum Random Oracles11 All random oracle NIZK broken? No: under extra conditions, Fiat-Shamir and Fischlin might work (no proof idea) We found a provable new construction (less efficient)

12
Dominique Unruh I thank for your attention This research was supported by European Social Fund’s Doctoral Studies and Internationalisation Programme DoRa

Similar presentations

OK

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on classical economics states Ppt on polynomials and coordinate geometry distance Ppt on sbi mutual fund Ppt on e-retailing in india Ppt on db2 introduction to accounting Ppt on power sector reforms in india Ppt on bill of exchange for class 11 Ppt on general etiquettes Ppt on audible and inaudible sound Ppt on different model of atom