20 research outputs found
Increasing the power of the verifier in Quantum Zero Knowledge
In quantum zero knowledge, the assumption was made that the verifier is only
using unitary operations. Under this assumption, many nice properties have been
shown about quantum zero knowledge, including the fact that Honest-Verifier
Quantum Statistical Zero Knowledge (HVQSZK) is equal to Cheating-Verifier
Quantum Statistical Zero Knowledge (QSZK) (see [Wat02,Wat06]).
In this paper, we study what happens when we allow an honest verifier to flip
some coins in addition to using unitary operations. Flipping a coin is a
non-unitary operation but doesn't seem at first to enhance the cheating
possibilities of the verifier since a classical honest verifier can flip coins.
In this setting, we show an unexpected result: any classical Interactive Proof
has an Honest-Verifier Quantum Statistical Zero Knowledge proof with coins.
Note that in the classical case, honest verifier SZK is no more powerful than
SZK and hence it is not believed to contain even NP. On the other hand, in the
case of cheating verifiers, we show that Quantum Statistical Zero Knowledge
where the verifier applies any non-unitary operation is equal to Quantum
Zero-Knowledge where the verifier uses only unitaries.
One can think of our results in two complementary ways. If we would like to
use the honest verifier model as a means to study the general model by taking
advantage of their equivalence, then it is imperative to use the unitary
definition without coins, since with the general one this equivalence is most
probably not true. On the other hand, if we would like to use quantum zero
knowledge protocols in a cryptographic scenario where the honest-but-curious
model is sufficient, then adding the unitary constraint severely decreases the
power of quantum zero knowledge protocols.Comment: 17 pages, 0 figures, to appear in FSTTCS'0
How to Base Security on the Perfect/Statistical Binding Property of Quantum Bit Commitment?
The concept of quantum bit commitment was introduced in the early 1980s for the purpose of basing bit commitments solely on principles of quantum theory. Unfortunately, such unconditional quantum bit commitments still turn out to be impossible. As a compromise like in classical cryptography, Dumais et al. [Paul Dumais et al., 2000] introduce the conditional quantum bit commitments that additionally rely on complexity assumptions. However, in contrast to classical bit commitments which are widely used in classical cryptography, up until now there is relatively little work towards studying the application of quantum bit commitments in quantum cryptography. This may be partly due to the well-known weakness of the general quantum binding that comes from the possible superposition attack of the sender of quantum commitments, making it unclear whether quantum commitments could be useful in quantum cryptography.
In this work, following Yan et al. [Jun Yan et al., 2015] we continue studying using (canonical non-interactive) perfectly/statistically-binding quantum bit commitments as the drop-in replacement of classical bit commitments in some well-known constructions. Specifically, we show that the (quantum) security can still be established for zero-knowledge proof, oblivious transfer, and proof-of-knowledge. In spite of this, we stress that the corresponding security analyses are by no means trivial extensions of their classical analyses; new techniques are needed to handle possible superposition attacks by the cheating sender of quantum bit commitments.
Since (canonical non-interactive) statistically-binding quantum bit commitments can be constructed from quantum-secure one-way functions, we hope using them (as opposed to classical commitments) in cryptographic constructions can reduce the round complexity and weaken the complexity assumption simultaneously
Computational Indistinguishability between Quantum States and Its Cryptographic Application
We introduce a computational problem of distinguishing between two specific
quantum states as a new cryptographic problem to design a quantum cryptographic
scheme that is "secure" against any polynomial-time quantum adversary. Our
problem, QSCDff, is to distinguish between two types of random coset states
with a hidden permutation over the symmetric group of finite degree. This
naturally generalizes the commonly-used distinction problem between two
probability distributions in computational cryptography. As our major
contribution, we show that QSCDff has three properties of cryptographic
interest: (i) QSCDff has a trapdoor; (ii) the average-case hardness of QSCDff
coincides with its worst-case hardness; and (iii) QSCDff is computationally at
least as hard as the graph automorphism problem in the worst case. These
cryptographic properties enable us to construct a quantum public-key
cryptosystem, which is likely to withstand any chosen plaintext attack of a
polynomial-time quantum adversary. We further discuss a generalization of
QSCDff, called QSCDcyc, and introduce a multi-bit encryption scheme that relies
on similar cryptographic properties of QSCDcyc.Comment: 24 pages, 2 figures. We improved presentation, and added more detail
proofs and follow-up of recent wor
Generalized Quantum Arthur-Merlin Games
This paper investigates the role of interaction and coins in public-coin
quantum interactive proof systems (also called quantum Arthur-Merlin games).
While prior works focused on classical public coins even in the quantum
setting, the present work introduces a generalized version of quantum
Arthur-Merlin games where the public coins can be quantum as well: the verifier
can send not only random bits, but also halves of EPR pairs. First, it is
proved that the class of two-turn quantum Arthur-Merlin games with quantum
public coins, denoted qq-QAM in this paper, does not change by adding a
constant number of turns of classical interactions prior to the communications
of the qq-QAM proof systems. This can be viewed as a quantum analogue of the
celebrated collapse theorem for AM due to Babai. To prove this collapse
theorem, this paper provides a natural complete problem for qq-QAM: deciding
whether the output of a given quantum circuit is close to a totally mixed
state. This complete problem is on the very line of the previous studies
investigating the hardness of checking the properties related to quantum
circuits, and is of independent interest. It is further proved that the class
qq-QAM_1 of two-turn quantum-public-coin quantum Arthur-Merlin proof systems
with perfect completeness gives new bounds for standard well-studied classes of
two-turn interactive proof systems. Finally, the collapse theorem above is
extended to comprehensively classify the role of interaction and public coins
in quantum Arthur-Merlin games: it is proved that, for any constant m>1, the
class of problems having an m-turn quantum Arthur-Merlin proof system is either
equal to PSPACE or equal to the class of problems having a two-turn quantum
Arthur-Merlin game of a specific type, which provides a complete set of quantum
analogues of Babai's collapse theorem.Comment: 31 pages + cover page, the proof of Lemma 27 (Lemma 24 in v1) is
corrected, and a new completeness result is adde
An Application of Quantum Finite Automata to Interactive Proof Systems
Quantum finite automata have been studied intensively since their
introduction in late 1990s as a natural model of a quantum computer with
finite-dimensional quantum memory space. This paper seeks their direct
application to interactive proof systems in which a mighty quantum prover
communicates with a quantum-automaton verifier through a common communication
cell. Our quantum interactive proof systems are juxtaposed to
Dwork-Stockmeyer's classical interactive proof systems whose verifiers are
two-way probabilistic automata. We demonstrate strengths and weaknesses of our
systems and further study how various restrictions on the behaviors of
quantum-automaton verifiers affect the power of quantum interactive proof
systems.Comment: This is an extended version of the conference paper in the
Proceedings of the 9th International Conference on Implementation and
Application of Automata, Lecture Notes in Computer Science, Springer-Verlag,
Kingston, Canada, July 22-24, 200
Certified Everlasting Zero-Knowledge Proof for QMA
In known constructions of classical zero-knowledge protocols for NP, either
of zero-knowledge or soundness holds only against computationally bounded
adversaries. Indeed, achieving both statistical zero-knowledge and statistical
soundness at the same time with classical verifier is impossible for NP unless
the polynomial-time hierarchy collapses, and it is also believed to be
impossible even with a quantum verifier. In this work, we introduce a novel
compromise, which we call the certified everlasting zero-knowledge proof for
QMA. It is a computational zero-knowledge proof for QMA, but the verifier
issues a classical certificate that shows that the verifier has deleted its
quantum information. If the certificate is valid, even unbounded malicious
verifier can no longer learn anything beyond the validity of the statement. We
construct a certified everlasting zero-knowledge proof for QMA. For the
construction, we introduce a new quantum cryptographic primitive, which we call
commitment with statistical binding and certified everlasting hiding, where the
hiding property becomes statistical once the receiver has issued a valid
certificate that shows that the receiver has deleted the committed information.
We construct commitment with statistical binding and certified everlasting
hiding from quantum encryption with certified deletion by Broadbent and Islam
[TCC 2020] (in a black box way), and then combine it with the quantum
sigma-protocol for QMA by Broadbent and Grilo [FOCS 2020] to construct the
certified everlasting zero-knowledge proof for QMA. Our constructions are
secure in the quantum random oracle model. Commitment with statistical binding
and certified everlasting hiding itself is of independent interest, and there
will be many other useful applications beyond zero-knowledge.Comment: 33 page
Spatial isolation implies zero knowledge even in a quantum world
Zero knowledge plays a central role in cryptography and complexity. The seminal work of Ben-Or et al. (STOC 1988) shows that zero knowledge can be achieved unconditionally for any language in NEXP, as long as one is willing to make a suitable physical assumption: if the provers are spatially isolated, then they can be assumed to be playing independent strategies. Quantum mechanics, however, tells us that this assumption is unrealistic, because spatially-isolated provers could share a quantum entangled state and realize a non-local correlated strategy. The MIP* model captures this setting. In this work we study the following question: does spatial isolation still suffice to unconditionally achieve zero knowledge even in the presence of quantum entanglement? We answer this question in the affirmative: we prove that every language in NEXP has a 2-prover zero knowledge interactive proof that is sound against entangled provers; that is, NEXP ⊆ ZK-MIP*. Our proof consists of constructing a zero knowledge interactive PCP with a strong algebraic structure, and then lifting it to the MIP* model. This lifting relies on a new framework that builds on recent advances in low-degree testing against entangled strategies, and clearly separates classical and quantum tools. Our main technical contribution is the development of new algebraic techniques for obtaining unconditional zero knowledge; this includes a zero knowledge variant of the celebrated sumcheck protocol, a key building block in many probabilistic proof systems. A core component of our sumcheck protocol is a new algebraic commitment scheme, whose analysis relies on algebraic complexity theory
Quantum Proofs
Quantum information and computation provide a fascinating twist on the notion
of proofs in computational complexity theory. For instance, one may consider a
quantum computational analogue of the complexity class \class{NP}, known as
QMA, in which a quantum state plays the role of a proof (also called a
certificate or witness), and is checked by a polynomial-time quantum
computation. For some problems, the fact that a quantum proof state could be a
superposition over exponentially many classical states appears to offer
computational advantages over classical proof strings. In the interactive proof
system setting, one may consider a verifier and one or more provers that
exchange and process quantum information rather than classical information
during an interaction for a given input string, giving rise to quantum
complexity classes such as QIP, QSZK, and QMIP* that represent natural quantum
analogues of IP, SZK, and MIP. While quantum interactive proof systems inherit
some properties from their classical counterparts, they also possess distinct
and uniquely quantum features that lead to an interesting landscape of
complexity classes based on variants of this model.
In this survey we provide an overview of many of the known results concerning
quantum proofs, computational models based on this concept, and properties of
the complexity classes they define. In particular, we discuss non-interactive
proofs and the complexity class QMA, single-prover quantum interactive proof
systems and the complexity class QIP, statistical zero-knowledge quantum
interactive proof systems and the complexity class \class{QSZK}, and
multiprover interactive proof systems and the complexity classes QMIP, QMIP*,
and MIP*.Comment: Survey published by NOW publisher