Presentation is loading. Please wait.

Presentation is loading. Please wait.

Non-interactive quantum zero-knowledge proofs

Published byPreston Singleton Modified over 8 years ago

Similar presentations

Presentation on theme: "Non-interactive quantum zero-knowledge proofs"— Presentation transcript:

1 Non-interactive quantum zero-knowledge proofs
Quantum “Fiat-Shamir” Dominique Unruh University of Tartu

2 Quantum NIZK with random oracle
Intro: Proof systems Statement x Witness w P V Statement x Soundness: Verifier accepts only true statements Zero-knowledge: Verifier learns nothing Quantum NIZK with random oracle

3 Quantum NIZK with random oracle
Intro: Proof systems Sigma-protocols Non-interactive ZK P V proof P V commitment challenge response Ease of use Concurrency, offline Need RO or CRS Lack of combiners Specific languages Specific 3-round proofs Versatile combiners Simple to analyze Weak security Quantum NIZK with random oracle

4 Intro: Best of two worlds
Fiat-Shamir: Convert sigma-proto into NIZK Ease of use (concurrent, offline) Versatile combiners Simple analysis Uses random oracle P V commitment challenge response P V com, H(com), resp Quantum NIZK with random oracle

5 Intro: Best of two world (ctd.)
Fiat-Shamir also implies: Sigma-proto  signatures (in RO) Fischlin’s scheme: Also: sigma-proto  NIZK (in RO) No rewinding (online extraction) Less efficient Quantum NIZK with random oracle

6 Post-quantum security
Quantum computers Potential future threat Not there yet, but we need to be prepared Post-quantum cryptography Classical crypto, secure against quantum attack Is Fiat-Shamir post-quantum secure? Quantum NIZK with random oracle

7 Fiat-Shamir soundness
Quantum P V com, H(com), resp Fiat-Shamir: Can be seen as: Rewinding  Get two responses “Special soundness” of sigma-proto  Compute witness P H com chal := H(com) response V Superposition queries messed-up state Quantum NIZK with random oracle

8 Saving (quantum) Fiat-Shamir?
Existing quantum rewinding techniques Watrous / Unruh Do not work with superposition queries Ambainis, Rosmanis, Unruh: No relativizing security proof Consequence: Avoid rewinding! Quantum NIZK with random oracle

9 NIZK without rewinding
Fischlin’s scheme: No rewinding Online extraction: List of queries  Witness But again: No relativizing security proof List of queries: Not well-defined: need to measure to get them Disturbs state Quantum NIZK with random oracle

10 Quantum online-extraction
Prover: 𝑥 Idea: Make RO invertible (for extractor) Ensure: all needed outputs contained in proof P H 𝐻(𝑥) proof Extractor: H -1 𝑥 witness Quantum NIZK with random oracle

11 Protocol construction
𝑥𝑥𝑥 hash invertibly ( ) 𝑐 ℎ𝑎𝑙 11 𝑐 ℎ𝑎𝑙 12 ⋮ 𝑐 ℎ𝑎𝑙 1𝑚 𝑟𝑒𝑠 𝑝 11 𝑟𝑒𝑠 𝑝 12 ⋮ 𝑟𝑒𝑠 𝑝 1𝑚 𝑟𝑒𝑠 𝑝 12 𝑐𝑜 𝑚 𝑐𝑜 𝑚 ⋮ 𝑐𝑜 𝑚 𝑡 𝑐 ℎ𝑎𝑙 21 𝑐 ℎ𝑎𝑙 22 ⋮ 𝑐 ℎ𝑎𝑙 2𝑚 𝑟𝑒𝑠 𝑝 21 𝑟𝑒𝑠 𝑝 22 ⋮ 𝑟𝑒𝑠 𝑝 2𝑚 all this together is the proof 𝑟𝑒𝑠 𝑝 2𝑚 W.h.p. at least one 𝑐𝑜𝑚 has two valid 𝑟𝑒𝑠𝑝 Extractor gets them by inverting hash Two 𝑟𝑒𝑠𝑝  witness 𝑐 ℎ𝑎𝑙 𝑡1 𝑐 ℎ𝑎𝑙 𝑡2 ⋮ 𝑐 ℎ𝑎𝑙 𝑡𝑚 𝑟𝑒𝑠 𝑝 𝑡1 𝑟𝑒𝑠 𝑝 𝑡2 ⋮ 𝑟𝑒𝑠 𝑝 𝑡𝑚 𝑟𝑒𝑠 𝑝 𝑡1 Hash to get selection what to open (Fiat-Shamir style) Quantum NIZK with random oracle

12 Invertible random oracle
Random functions: not invertible Zhandry: RO ≈ 2𝑞-wise indep. Function Idea: Use invertible 2𝑞-wise indep. function Problem: None known Solution: Degree 2𝑞 polynomials Almost invertible (2𝑞 candidates) Good enough Quantum NIZK with random oracle

13 Quantum NIZK with random oracle
Final result Theorem: If the sigma-protocol has: Honest verifier zero-knowledge Special soundness Then our protocol is: Zero-knowledge Simulation-sound online extractable Quantum NIZK with random oracle

14 Quantum NIZK with random oracle
Further results Strongly unforgeable signatures (implied by the NIZK) New results for adaptive programming of quantum random oracle Invertible oracle trick (also used for variant of Fujisaki-Okamoto) Quantum NIZK with random oracle

15 Quantum NIZK with random oracle
Saving Fiat-Shamir? P H |𝑐𝑜𝑚〉 𝑐ℎ𝑎𝑙 ≔|𝐻 𝑐𝑜𝑚 〉 𝑟𝑒𝑠𝑝 V Superposition queries, as many as P wants Zero-knowledge: yes (same as for our proto) Soundness: no [Ambainis Rosmanis U] Measuring 𝑐ℎ𝑎𝑙 disturbs state Hope: Soundness if underlying sigma-protocol has “strict soundness” / “unique responses” Quantum NIZK with random oracle

16 Quantum NIZK with random oracle
Strict soundness P H |𝑐𝑜𝑚〉 𝑐ℎ𝑎𝑙 ≔|𝐻 𝑐𝑜𝑚 〉 𝑟𝑒𝑠𝑝 V Superposition queries, as many as P wants Strict soundness: Given com, chall: at most one possible resp Helped before, for “proofs of knowledge” Measuring response not disturbing (much) Quantum NIZK with random oracle

17 Saving Fiat-Shamir now?
With strict soundness: no counterexample Proof still unclear (how to rewinding without disturbing quantum queries) Can be reduced to query-complexity problem Quantum NIZK with random oracle

18 The query complexity problem
Let 𝑀 𝐻 be a quantum circuit, using random oracle 𝐻, implementing a projective measurement Game 1: State |Ψ〉, apply 𝑦 1 ≔𝑀 𝐻 . Game 2: State |Ψ〉, apply 𝑦 1 ≔𝑀 𝐻 , apply 𝑦 2 ≔𝑀 𝐻( 𝑦 1 ≔𝑟𝑎𝑛𝑑𝑜𝑚) . Show: Pr 𝑦 1 = 𝑦 2 ≠ ⊥ :Game 2 ≥ Pr⁡ 𝑦 1 ≠ ⊥ : Game 1 poly(#𝑞𝑢𝑒𝑟𝑖𝑒𝑠) Quantum NIZK with random oracle

19 I thank for your attention
This research was supported by European Social Fund’s Doctoral Studies and Internationalisation Programme DoRa

Download ppt "Non-interactive quantum zero-knowledge proofs"

Similar presentations

Quantum Software Copy-Protection Scott Aaronson (MIT) |

Quantum Software Copy-Protection Scott Aaronson (MIT) |
Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.

Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.

Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.

Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.

New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)

REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting.

1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.

Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.
Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.

Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.

Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.

Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.

Similar presentations

Ads by Google