Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.

Published byIliana Howey Modified over 9 years ago

Similar presentations

Presentation on theme: "Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian."— Presentation transcript:

1 Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian Theory Days WORK IN PROGRESS!

2 Dominique Unruh Non-interactive ZK with Quantum Random Oracles2 Classical Crypto (Quick intro.)

3 Dominique Unruh Non-interactive zero-knowledge (NIZK) Non-interactive ZK with Quantum Random Oracles3 Statement x (math. fact) Witness w (proof of fact) P ZK proof of x Zero-knowledge Proof leaks nothing about witness Soundness Hard to prove wrong statements Uses: Proving honest behavior, signatures, …

4 Dominique Unruh Towards efficient NIZK: Sigma protocols Non-interactive ZK with Quantum Random Oracles commitment challenge response Prover “Special soundness”:Two different responses allow to compute witness ⇒ For wrong statement, prover fails w.h.p. Verifier

5 Dominique Unruh Toward efficient NIZK: Random Oracles Model hash function as random function H Many useful proof techniques 5 H x H(x) Learn queries Insert “special” answers (“programming”) Rewind and re-answer

6 Dominique Unruh NIZK with random oracles Non-interactive ZK with Quantum Random Oracles6 Fiat-Shamir Fischlin com chal resp Prover H(com) NIZK consists of com,chal,resp Prover can’t cheat: H is like a verifier Security-proof: Rewinding Fix com Try different chal, resp until H(chal,resp)=xxx000 Proof := com,chal,resp Need to query several chal,resp Implies existence of witness

7 Dominique Unruh Non-interactive ZK with Quantum Random Oracles7 Quantum! Classical security easy. But if adversary has a quantum computer?

8 Dominique Unruh The “pick-one trick” (simplified) Given a set S can encode it as a quantum state |Ψ 〉 s.t. for any set Z you find one x 1 ∈ S∩Z but not two x 1,x 2 ∈ S Non-interactive ZK with Quantum Random Oracles8 S Z x1x1 x2x2

9 Dominique Unruh Attacking Fischlin Non-interactive ZK with Quantum Random Oracles9 Fix com Try different chal, resp until H(chal,resp)=xxx000 Proof = com,chal,resp S={chal,resp} Z={H(·)=xxx000} Valid fake NIZK Without knowing witness! (Because we have only one S-element) [Fiat-Shamir attacked similarly]

10 Dominique Unruh How does “one-pick trick” work? Grover: Quantum algorithm for searching Observation: – First step of Grover produces a state encoding the search space This state (plus modified Grover) implements “one-pick trick” Hard part: Prove “can’t find two x 1,x 2 ∈ S ” Non-interactive ZK with Quantum Random Oracles10

11 Dominique Unruh No efficient quantum NIZK? Non-interactive ZK with Quantum Random Oracles11 All random oracle NIZK broken? No: under extra conditions, Fiat-Shamir and Fischlin might work (no proof idea) We found a provable new construction (less efficient)

12 Dominique Unruh I thank for your attention This research was supported by European Social Fund’s Doctoral Studies and Internationalisation Programme DoRa

Download ppt "Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian."

Similar presentations

Quantum Software Copy-Protection Scott Aaronson (MIT) |

Quantum Software Copy-Protection Scott Aaronson (MIT) |
The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.

The Future (and Past) of Quantum Lower Bounds by Polynomials Scott Aaronson UC Berkeley.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.

Are PCPs Inherent in Efficient Arguments? Guy Rothblum, MIT ) MSR-SVC ) IAS Salil Vadhan, Harvard University.
Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.

Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)

REDUCTION-RESILIENT CRYPTOGRAPHY: PRIMITIVES THAT RESIST REDUCTIONS FROM ALL STANDARD ASSUMPTIONS Daniel Wichs (Charles River Crypto Day ‘12)
Lecture 15 Zero-Knowledge Techniques. Peggy: “I know the password to the Federal Reserve System computer, the ingredients in McDonald’s secret sauce,

Lecture 15 Zero-Knowledge Techniques. Peggy: “I know the password to the Federal Reserve System computer, the ingredients in McDonald’s secret sauce,
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.

13. Oktober 2010 | Dr.Marc Fischlin | Kryptosicherheit | 1 Adaptive Proofs of Knowledge in the Random Oracle Model 21. PKC 2015 Marc Fischlin joint work.
Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.

Optimistic Concurrent Zero-Knowledge Alon Rosen IDC Herzliya abhi shelat University of Virginia.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.

On the Composition of Public- Coin Zero-Knowledge Protocols Rafael Pass (Cornell) Wei-Lung Dustin Tseng (Cornell) Douglas Wiktröm (KTH) 1.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.

Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
Rafael Pass Cornell University Limits of Provable Security From Standard Assumptions.

Rafael Pass Cornell University Limits of Provable Security From Standard Assumptions.
Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

Similar presentations

Ads by Google