Non-interactive quantum zero-knowledge proofs

Slides:



Advertisements
Similar presentations
Quantum Software Copy-Protection Scott Aaronson (MIT) |
Advertisements

Perfect Non-interactive Zero-Knowledge for NP
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Statistical Zero-Knowledge Arguments for NP from Any One-Way Function Salil Vadhan Minh Nguyen Shien Jin Ong Harvard University.
Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
New Results on PA/CCA Encryption Carmine Ventre and Ivan Visconti Università di Salerno.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
1 Vipul Goyal Microsoft Research India Non-Black-Box Simulation in the Fully Concurrent Setting.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.
Isolated PoK and Isolated ZK Ivan Damgård, Jesper Buus Nielsen and Daniel Wichs.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
Sub-linear Zero-Knowledge Argument for Correctness of a Shuffle Jens Groth University College London Yuval Ishai Technion and University of California.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.
Nir Bitansky and Omer Paneth. Interactive Proofs.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
Rafael Pass Cornell University Limits of Provable Security From Standard Assumptions.
One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth University College London Markulf Kohlweiss Microsoft Research TexPoint fonts.
Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.
1 Theory and Application of Extractable Functions Ramzi Ronny Dakdouk.
1 Zaps and Apps Cynthia Dwork Microsoft Research Moni Naor Weizmann Institute of Science.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
Non-interactive and Reusable Non-malleable Commitments Ivan Damgård, BRICS, Aarhus University Jens Groth, Cryptomathic A/S.
How to Go Beyond the Black-Box Simulation Barrier Boaz Barak.
Fang Song Joint work with Sean Hallgren and Adam Smith Computer Science and Engineering Penn State University.
Fine-Tuning Groth-Sahai Proofs Alex Escala Scytl Secure Electronic Voting Jens Groth University College London.
(Multimedia University) Ji-Jian Chin Swee-Huay Heng Bok-Min Goi
Impossibility and Feasibility Results for Zero Knowledge with Public Keys Joël Alwen Tech. Univ. Vienna AUSTRIA Giuseppe Persiano Univ. Salerno ITALY Ivan.
Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT.
1 Information Security – Theory vs. Reality , Winter Lecture 9: Integrity on untrusted platforms: Proof-Carrying Data (cont.) Eran.
A Linear Lower Bound on the Communication Complexity of Single-Server PIR Weizmann Institute of Science Israel Iftach HaitnerJonathan HochGil Segev.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Rate-Limited Secure Function Evaluation 21. Public Key Cryptography, March 1 st, 2013 Özgür.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer.
Blind Signatures: Definitions and Constructions Carmit Hazay Yehuda Lindell Bar-Ilan University Jonathan Katz Chiu-Yuen Koo University of Maryland.
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
1 Reasoning about Concrete Security in Protocol Proofs A. Datta, J.Y. Halpern, J.C. Mitchell, R. Pucella, A. Roy.
New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.
Game-based composition for key exchange Cristina Brzuska, Marc Fischlin (University of Darmstadt) Nigel Smart, Bogdan Warinschi, Steve Williams (University.
Copyright (c) 2012 NTT Secure Platform Labs. Group to Group Commitments Do Not Shrink Masayuki ABE Kristiyan Haralambiev Miyako Ohkubo 1.
On Simulation-Sound Trapdoor Commitments Phil MacKenzie, Bell Labs Ke Yang, CMU.
Fang Song IQC, University of Waterloo -- “Quantum-Friendly” Reductions.
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
Formal Verification of Quantum Cryptography Dominique Unruh University of Tartu.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Dominique Unruh Quantum Proofs of Knowledge Dominique Unruh University of Tartu Tartu, April 12, 2012.
Cryptographic Shuffles Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAAAAAAA.
On the Size of Pairing-based Non-interactive Arguments
Efficient Public-Key Distance Bounding
Topic 14: Random Oracle Model, Hashing Applications
Digital Signature Schemes and the Random Oracle Model
B504/I538: Introduction to Cryptography
Cryptographic protocols 2016, Lecture 12 Sigma protocols
cryptographic protocols 2014, lecture 12 Getting full zero knowledge
cryptographic protocols 2016, lecture 16 Groth-Sahai proofs
Masayuki Fukumitsu Hokkaido Information University, Japan
Quantum-security of commitment schemes and hash functions
Fiat-Shamir for Highly Sound Protocols is Instantiable
Post-Quantum Security of Fiat-Shamir
Impossibility of SNARGs
Collapse-binding quantum commitments without random oracles
Presentation transcript:

Non-interactive quantum zero-knowledge proofs Quantum “Fiat-Shamir” Dominique Unruh University of Tartu

Quantum NIZK with random oracle Intro: Proof systems Statement x Witness w P V Statement x Soundness: Verifier accepts only true statements Zero-knowledge: Verifier learns nothing Quantum NIZK with random oracle

Quantum NIZK with random oracle Intro: Proof systems Sigma-protocols Non-interactive ZK P V proof P V commitment challenge response Ease of use Concurrency, offline Need RO or CRS Lack of combiners Specific languages Specific 3-round proofs Versatile combiners Simple to analyze Weak security Quantum NIZK with random oracle

Intro: Best of two worlds Fiat-Shamir: Convert sigma-proto into NIZK Ease of use (concurrent, offline) Versatile combiners Simple analysis Uses random oracle P V commitment challenge response P V com, H(com), resp Quantum NIZK with random oracle

Intro: Best of two world (ctd.) Fiat-Shamir also implies: Sigma-proto  signatures (in RO) Fischlin’s scheme: Also: sigma-proto  NIZK (in RO) No rewinding (online extraction) Less efficient Quantum NIZK with random oracle

Post-quantum security Quantum computers Potential future threat Not there yet, but we need to be prepared Post-quantum cryptography Classical crypto, secure against quantum attack Is Fiat-Shamir post-quantum secure? Quantum NIZK with random oracle

Fiat-Shamir soundness Quantum P V com, H(com), resp Fiat-Shamir: Can be seen as: Rewinding  Get two responses “Special soundness” of sigma-proto  Compute witness P H com chal := H(com) response V Superposition queries messed-up state Quantum NIZK with random oracle

Saving (quantum) Fiat-Shamir? Existing quantum rewinding techniques Watrous / Unruh Do not work with superposition queries Ambainis, Rosmanis, Unruh: No relativizing security proof Consequence: Avoid rewinding! Quantum NIZK with random oracle

NIZK without rewinding Fischlin’s scheme: No rewinding Online extraction: List of queries  Witness But again: No relativizing security proof List of queries: Not well-defined: need to measure to get them Disturbs state Quantum NIZK with random oracle

Quantum online-extraction Prover: 𝑥 Idea: Make RO invertible (for extractor) Ensure: all needed outputs contained in proof P H 𝐻(𝑥) proof Extractor: H -1 𝑥 witness Quantum NIZK with random oracle

Protocol construction 𝑥𝑥𝑥 hash invertibly ( ) 𝑐 ℎ𝑎𝑙 11 𝑐 ℎ𝑎𝑙 12 ⋮ 𝑐 ℎ𝑎𝑙 1𝑚 𝑟𝑒𝑠 𝑝 11 𝑟𝑒𝑠 𝑝 12 ⋮ 𝑟𝑒𝑠 𝑝 1𝑚 𝑟𝑒𝑠 𝑝 12 𝑐𝑜 𝑚 1 𝑐𝑜 𝑚 2 ⋮ 𝑐𝑜 𝑚 𝑡 𝑐 ℎ𝑎𝑙 21 𝑐 ℎ𝑎𝑙 22 ⋮ 𝑐 ℎ𝑎𝑙 2𝑚 𝑟𝑒𝑠 𝑝 21 𝑟𝑒𝑠 𝑝 22 ⋮ 𝑟𝑒𝑠 𝑝 2𝑚 all this together is the proof 𝑟𝑒𝑠 𝑝 2𝑚 ⋮ W.h.p. at least one 𝑐𝑜𝑚 has two valid 𝑟𝑒𝑠𝑝 Extractor gets them by inverting hash Two 𝑟𝑒𝑠𝑝  witness 𝑐 ℎ𝑎𝑙 𝑡1 𝑐 ℎ𝑎𝑙 𝑡2 ⋮ 𝑐 ℎ𝑎𝑙 𝑡𝑚 𝑟𝑒𝑠 𝑝 𝑡1 𝑟𝑒𝑠 𝑝 𝑡2 ⋮ 𝑟𝑒𝑠 𝑝 𝑡𝑚 𝑟𝑒𝑠 𝑝 𝑡1 Hash to get selection what to open (Fiat-Shamir style) Quantum NIZK with random oracle

Invertible random oracle Random functions: not invertible Zhandry: RO ≈ 2𝑞-wise indep. Function Idea: Use invertible 2𝑞-wise indep. function Problem: None known Solution: Degree 2𝑞 polynomials Almost invertible (2𝑞 candidates) Good enough Quantum NIZK with random oracle

Quantum NIZK with random oracle Final result Theorem: If the sigma-protocol has: Honest verifier zero-knowledge Special soundness Then our protocol is: Zero-knowledge Simulation-sound online extractable Quantum NIZK with random oracle

Quantum NIZK with random oracle Further results Strongly unforgeable signatures (implied by the NIZK) New results for adaptive programming of quantum random oracle Invertible oracle trick (also used for variant of Fujisaki-Okamoto) Quantum NIZK with random oracle

Quantum NIZK with random oracle Saving Fiat-Shamir? P H |𝑐𝑜𝑚〉 𝑐ℎ𝑎𝑙 ≔|𝐻 𝑐𝑜𝑚 〉 𝑟𝑒𝑠𝑝 V Superposition queries, as many as P wants Zero-knowledge: yes (same as for our proto) Soundness: no [Ambainis Rosmanis U] Measuring 𝑐ℎ𝑎𝑙 disturbs state Hope: Soundness if underlying sigma-protocol has “strict soundness” / “unique responses” Quantum NIZK with random oracle

Quantum NIZK with random oracle Strict soundness P H |𝑐𝑜𝑚〉 𝑐ℎ𝑎𝑙 ≔|𝐻 𝑐𝑜𝑚 〉 𝑟𝑒𝑠𝑝 V Superposition queries, as many as P wants Strict soundness: Given com, chall: at most one possible resp Helped before, for “proofs of knowledge” Measuring response not disturbing (much) Quantum NIZK with random oracle

Saving Fiat-Shamir now? With strict soundness: no counterexample Proof still unclear (how to rewinding without disturbing quantum queries) Can be reduced to query-complexity problem Quantum NIZK with random oracle

The query complexity problem Let 𝑀 𝐻 be a quantum circuit, using random oracle 𝐻, implementing a projective measurement Game 1: State |Ψ〉, apply 𝑦 1 ≔𝑀 𝐻 . Game 2: State |Ψ〉, apply 𝑦 1 ≔𝑀 𝐻 , apply 𝑦 2 ≔𝑀 𝐻( 𝑦 1 ≔𝑟𝑎𝑛𝑑𝑜𝑚) . Show: Pr 𝑦 1 = 𝑦 2 ≠ ⊥ :Game 2 ≥ Pr⁡ 𝑦 1 ≠ ⊥ : Game 1 poly(#𝑞𝑢𝑒𝑟𝑖𝑒𝑠) Quantum NIZK with random oracle

I thank for your attention This research was supported by European Social Fund’s Doctoral Studies and Internationalisation Programme DoRa

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.