Post-quantum Zero Knowledge in Constant Rounds

We construct a constant-round zero-knowledge classical argument for NP secure against quantum attacks. We assume the existence of Quantum Fully-Homomorphic Encryption and other standard primitives, known based on the Learning with Errors Assumption for quantum algorithms. As a corollary, we also obtain a constant-round zero-knowledge quantum argument for QMA. At the heart of our protocol is a new no-cloning non-black-box simulation technique

A Black-Box Approach to Post-Quantum Zero-Knowledge in Constant Rounds

In a recent seminal work, Bitansky and Shmueli (STOC \u2720) gave the first construction of a constant round zero-knowledge argument for NP secure against quantum attacks. However, their construction has several drawbacks compared to the classical counterparts. Specifically, their construction only achieves computational soundness, requires strong assumptions of quantum hardness of learning with errors (QLWE assumption) and the existence of quantum fully homomorphic encryption (QFHE), and relies on non-black-box simulation. In this paper, we resolve these issues at the cost of weakening the notion of zero-knowledge to what is called $\epsilon$-zero-knowledge. Concretely, we construct the following protocols: - We construct a constant round interactive proof for NP that satisfies statistical soundness and black-box $\epsilon$-zero-knowledge against quantum attacks assuming the existence of collapsing hash functions, which is a quantum counterpart of collision-resistant hash functions. Interestingly, this construction is just an adapted version of the classical protocol by Goldreich and Kahan (JoC \u2796) though the proof of $\epsilon$-zero-knowledge property against quantum adversaries requires novel ideas. - We construct a constant round interactive argument for NP that satisfies computational soundness and black-box $\epsilon$-zero-knowledge against quantum attacks only assuming the existence of post-quantum one-way functions. At the heart of our results is a new quantum rewinding technique that enables a simulator to extract a committed message of a malicious verifier while simulating verifier\u27s internal state in an appropriate sense

Post-Quantum Simulatable Extraction with Minimal Assumptions: Black-Box and Constant-Round

From the minimal assumption of post-quantum semi-honest oblivious transfers, we build the first $\epsilon$-simulatable two-party computation (2PC) against quantum polynomial-time (QPT) adversaries that is both constant-round and black-box (for both the construction and security reduction). A recent work by Chia, Chung, Liu, and Yamakawa (FOCS\u2721) shows that post-quantum 2PC with standard simulation-based security is impossible in constant rounds, unless either $NP \subseteq BQP$ or relying on non-black-box simulation. The $\epsilon$-simulatability we target is a relaxation of the standard simulation-based security that allows for an arbitrarily small noticeable simulation error $\epsilon$. Moreover, when quantum communication is allowed, we can further weaken the assumption to post-quantum secure one-way functions (PQ-OWFs), while maintaining the constant-round and black-box property. Our techniques also yield the following set of constant-round and black-box two-party protocols secure against QPT adversaries, only assuming black-box access to PQ-OWFs: - extractable commitments for which the extractor is also an $\epsilon$-simulator; - $\epsilon$-zero-knowledge commit-and-prove whose commit stage is extractable with $\epsilon$-simulation; - $\epsilon$-simulatable coin-flipping; - $\epsilon$-zero-knowledge arguments of knowledge for $NP$ for which the knowledge extractor is also an $\epsilon$-simulator; - $\epsilon$-zero-knowledge arguments for $QMA$. At the heart of the above results is a black-box extraction lemma showing how to efficiently extract secrets from QPT adversaries while disturbing their quantum state in a controllable manner, i.e., achieving $\epsilon$-simulatability of the post-extraction state of the adversary

Post-Quantum Zero-Knowledge with Space-Bounded Simulation

The traditional definition of quantum zero-knowledge stipulates that the knowledge gained by any quantum polynomial-time verifier in an interactive protocol can be simulated by a quantum polynomial-time algorithm. One drawback of this definition is that it allows the simulator to consume significantly more computational resources than the verifier. We argue that this drawback renders the existing notion of quantum zero-knowledge not viable for certain settings, especially when dealing with near-term quantum devices. In this work, we initiate a fine-grained notion of post-quantum zero-knowledge that is more compatible with near-term quantum devices. We introduce the notion of $(s,f)$ space-bounded quantum zero-knowledge. In this new notion, we require that an $s$-qubit malicious verifier can be simulated by a quantum polynomial-time algorithm that uses at most $f(s)$-qubits, for some function $f(\cdot)$, and no restriction on the amount of the classical memory consumed by either the verifier or the simulator. We explore this notion and establish both positive and negative results: - For verifiers with logarithmic quantum space $s$ and (arbitrary) polynomial classical space, we show that $(s,f)$-space-bounded QZK, for $f(s)=2s$, can be achieved based on the existence of post-quantum one-way functions. Moreover, our protocol runs in constant rounds. - For verifiers with super-logarithmic quantum space $s$, assuming the existence of post-quantum secure one-way functions, we show that $(s,f)$-space-bounded QZK protocols, with fully black-box simulation (classical analogue of black-box simulation) can only be achieved for languages in BQP

Insider-proof encryption with applications for quantum key distribution

It has been pointed out that current protocols for device independent quantum key distribution can leak key to the adversary when devices are used repeatedly and that this issue has not been addressed. We introduce the notion of an insider-proof channel. This allows us to propose a means by which devices with memories could be reused from one run of a device independent quantum key distribution protocol to the next while bounding the leakage to Eve, under the assumption that one run of the protocol could be completed securely using devices with memories.Comment: 20 pages, version 2: new presentation introducing the insider-proof channel as a cryptographic elemen

Security of Quantum Bit-String Generation

We consider the cryptographic task of bit-string generation. This is a generalisation of coin tossing in which two mistrustful parties wish to generate a string of random bits such that an honest party can be sure that the other cannot have biased the string too much. We consider a quantum protocol for this task, originally introduced in Phys. Rev. A {\bf 69}, 022322 (2004), that is feasible with present day technology. We introduce security conditions based on the average bias of the bits and the Shannon entropy of the string. For each, we prove rigorous security bounds for this protocol in both noiseless and noisy conditions under the most general attacks allowed by quantum mechanics. Roughly speaking, in the absence of noise, a cheater can only bias significantly a vanishing fraction of the bits, whereas in the presence of noise, a cheater can bias a constant fraction, with this fraction depending quantitatively on the level of noise. We also discuss classical protocols for the same task, deriving upper bounds on how well a classical protocol can perform. This enables the determination of how much noise the quantum protocol can tolerate while still outperforming classical protocols. We raise several conjectures concerning both quantum and classical possibilities for large n cryptography. An experiment corresponding to the scheme analysed in this paper has been performed and is reported elsewhere.Comment: 16 pages. No figures. Accepted for publication in Phys. Rev. A. A corresponding experiment is reported in quant-ph/040812

Postprocessing can speed up general quantum search algorithms

A general quantum search algorithm aims to evolve a quantum system from a known source state $|s\rangle$ to an unknown target state $|t\rangle$. It uses a diffusion operator $D_{s}$ having source state as one of its eigenstates and $I_{t}$, where $I_{\psi}$ denotes the selective phase inversion of $|\psi\rangle$ state. It evolves $|s\rangle$ to a particular state $|w\rangle$, call it w-state, in $O(B/\alpha)$ time steps where $\alpha$ is $|\langle t|s\rangle|$ and $B$ is a characteristic of the diffusion operator. Measuring the w-state gives the target state with the success probability of $O(1/B^{2})$ and $O(B^{2})$ applications of the algorithm can boost it from $O(1/B^{2})$ to $O(1)$, making the total time complexity $O(B^{3}/\alpha)$. In the special case of Grover's algorithm, $D_{s}$ is $I_{s}$ and $B$ is very close to $1$. A more efficient way to boost the success probability is quantum amplitude amplification provided we can efficiently implement $I_{w}$. Such an efficient implementation is not known so far. In this paper, we present an efficient algorithm to approximate selective phase inversions of the unknown eigenstates of an operator using phase estimation algorithm. This algorithm is used to efficiently approximate $I_{w}$ which reduces the time complexity of general algorithm to $O(B/\alpha)$. Though $O(B/\alpha)$ algorithms are known to exist, our algorithm offers physical implementation advantages.Comment: Accepted for publication in Physical Review A. arXiv admin note: substantial text overlap with arXiv:1210.464